Ch3 - Digital Evidence & Frauds

Chapter-3
DIGITAL EVIDENCE & FRAUDS
Session Objectives:
At the end of this Session, you will be able to understand Meaning of Digital Evidence. Steps of Computer Forensics. Firewall Forensics. Firewall Log Ananlysis & Management. Database Forensics. Computer Frauds. Types of Computer Crimes. Steps for Computer Crime Investigation. Reccomendations.
All Rights Reserved. www.sedulitygroups.com
3.1 WHAT IS DIGITAL EVIDENCE?_______________________

Digital Evidence or Electronic Evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Digital evidence is information of probative value that is stored or transmitted in a binary form. This field includes not only computers in the traditional sense but also includes digital audio and video. It includes all facets of crime where evidence may be found in a digital or binary form. Perhaps the most common computer crime in the news is child pornography, but computers are also instrumental in crimes ranging from check fraud to conspiracy to commit murder. Digital Evidence comes in numerous form factors, such as:
While these are obvious form factors, there are numerous form factors that are not so obvious, such as:
3.2 Definitions________________________________________
1. Acquisition of Digital Evidence: Begins when information and/or physical items are collected or stored for examination purposes. The term "evidence" implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee. 2. Data Objects: Objects or information of potential probative value that is associated with physical items. Data objects may occur in different formats without altering the original information. 3. Digital Evidence: Information of probative value stored or transmitted in digital form. 4. Physical Items: Items on which data objects or information may be stored and/or through which data objects are transferred. 5. Original Digital Evidence: Physical items and the data objects associated with such items at the time of acquisition or seizure. 6. Duplicate Digital Evidence: An accurate digital reproduction of all data objects contained on an original physical item. 7. Copy: An accurate reproduction of information contained on an original physical item, independent of the original physical item. The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory,
computer backups, computer printouts, Global Positioning System tracks, logs from a hotels electronic door locks, and digital video or audio files. As compared to the more traditional evidence, courts have noted that digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available. As such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule, and privilege. Regarding computer related crimes cases, evidences are classified into three main categories, according to SWGDE/IOCE standards: Digital evidence, where the information are stored or transmitted in electronic or magnetic form. Physical items, where the digital information is stored, or transmitted through a physical media. Data objects, where the information are linked to physical items. Generally speaking, there are three requirements for the evidence to be admissible in the court. 1. Authentication, 2. The best evidence rule, and 3. Exceptions to the hearsay rule. Authentication means showing a true copy of the original, best evidence means presenting the original, and the allowable exceptions are when a confession, business, or official records are involved. Authentication appears to be the most commonly used rule, but experts disagree over what is the most essential, or most correct, element of this in practice. Some say documentation (of what has been done); others say preservation (or integrity of the original); and still others say authenticity (the evidence being what you say it is). Good arguments could be made for the centrality of each, or all, as the standard in computer forensic law. In addition, the Indian courts require the legality of the evidence; it must be obtained in accordance with the laws governing search and seizure, including laws expressed in the IT ACT 2000 and IT ACT 2008.
3.3 Digital Forensic Examiner Proficiency and Competency Tests

Law enforcement investigators and forensic laboratory examiners must be prepared to respond to the increased use of technology by the criminal element. Digital evidence examiners are being called upon to demonstrate their competencies in court and to their own management. These trends in the digital forensics profession have made it necessary for laboratories, police agencies, and corporate investigative practices to find ways to evaluate the capabilities of their personnel, both individually and as a group. In other forensic sciences, proficiency and competency tests have become a standard method of documenting the knowledge, skills, and abilities of forensic examiners at all levels.
However, digital forensics is so new that few standards exist that have been tried and tested by the scientific, law enforcement, and judicial communities. The digital forensics profession is in great need of evaluation and assessment tools that will bring this newest forensic science into the of universally accepted laboratory examination specialties. Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court. In order to comply with the need to maintain the integrity of digital evidence, British examiners comply with the Association of Chief Police Officers (A.C.P.O.) guidelines. These are made up of four principles as follows:Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. There are many reasons to employ the techniques of computer forensics: In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). To recover data in the event of a hardware or software failure. To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. To gather evidence against an employee that an organization wishes to terminate. To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. There are five basic steps to the computer forensics: 1. 2. 3. 4. 5. Preparation (of the investigator, not the data) Collection (the data) Examination Analysis Reporting
Preparation: The investigator must be properly trained to perform the specific kind of investigation that is at hand. Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case. Collection: Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change). Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated. Other specific practices that have been adopted in the handling of digital evidence include: Imaging computer media using a write blocking tool to ensure that no data is added to the suspect device. Establish and maintain the chain of custody. Documenting everything that has been done. Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. Examination: Some of the most valuable information obtained in the course of a forensic examination will come from the computer user. An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology. Forensic analysis is much easier when analysts have the user's pass phrases to access encrypted files, containers, and network servers. In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined (as in some criminal cases) special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant. As a general rule, one should not examine digital information unless one has the legal authority to do so. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation. Traditionally computer forensic investigations were performed on data at rest, for example, the content of hard drives. This can be thought of as a Dead Analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
In recent years there has increasingly been an emphasis on performing analysis on live systems. One reason is that many current attacks against computer systems leave no trace on the computer's hard drive; the attacker only exploits information in the computer's memory. Another reason is the growing use of cryptographic storage: it may be that the only copy of the keys to decrypt the storage are in the computer's memory, turning off the computer will cause that information to be lost.
3.4 Imaging Electronic Media (Evidence)__________________

The process of creating an exact duplicate of the original evidentiary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd, IXimager or Guymager, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the useraccessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. The original drive is then moved to secure storage to prevent tampering. During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process. The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms such as MD5. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them. They are essential for evidence that is to be presented in a court room, however.
3.5 Collecting Volatile Data_____________________________

If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response. Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and open or mounted encrypted files (containers) on the live computer system. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. Open Source tools for PCs include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Toolkit and Guidance Software's EnCase application. The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently accessed local email applications including MS Outlook.
In the event that partitions with EFS are suspected to exist, the encryption keys to access the data can also be gathered during the collection process. With Microsoft's most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), it has become necessary in some instances to image the logical hard drive volumes before the computer is shut down. RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below 60 C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.
3.6 Analysis__________________________________________
All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include: AccessData's FTK, Guidance Software's EnCase, Dr. Golden Richard III's file carving tool Scalpel, and Brian Carrier's Sleuth Kit. In many investigations, numerous other tools are used to analyze specific portions of information. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.
3.7 Reporting_________________________________________
Once the analysis is complete, a report is generated. This report may be a written report, oral testimony, or some combination of the two. Searching and Seizing the Digital Evidence 1. The first successful step in searching and seizing the digital evidence is to know and understand that what should be searched and seized. Secondly, Cyber Crime Investigators and the Law Enforcement officers must have a warrant to search, which covers the location and description of the system. Thirdly, the digital evidence shall be well seized when it is located. 2. When speaking about searching or seizing computers, we usually do not refer to the CPU (Central Processing Unit) only; computer is useless without the devices that allow for input (e.g., the Keyboard or the mouse) and output (e.g., a monitor or printer) of Information. These devices are known as "peripherals,"' and they are an integral part of any "computer system. It means "the input/output units and auxiliary storage units of a computer system, attached by cables to the central processing unit. 8
3. Thus, searching and seizing the Digital Evidence in computers will often refer to the hardware, software, and data contained in the main unit. Printers, external modems (attached by cable to the main unit), monitors, and other external attachments will be referred to collectively as "peripherals" and discussed individually where appropriate. When we are referring to both the computer and all attached peripherals as one huge package, we will use the term "computer system." "Information" refers to all the information on a computer system, including both software applications and data. 4. Software is the term used to describe all of the programs we use when we employ the computer for some task; it is usually delivered to us on either one or more small magnetic disks or CD-ROMs. There are two basic categories of software: system software and application software. System software consists of the programs that manage our operation of the computer; while application software consists of the programs that allow us to work on higher-level tasks. They all compose the evidence searched. 5. Hardware searches are not conceptually difficult. Like searching for weapons, the items sought are tangible. They occupy physical space and can be moved in familiar ways. Searches for data and software are far more complex. For purposes of clarity, these types of searches must be examined in two distinct groups: (1) searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored offsite, and the computer at the search scene is used to access this off-site location. 6. When investigators are dealing with smaller networks, desktops PC and workstations an attempt to justify the taking of the whole system should be based on the following criteria. When an entire organization is pervasively involved in an ongoing criminal scheme, with little legitimate business, (in non-essential services) and evidence of the crime is clearly present throughout the network, an entire system seizure might be proper. In small desktop situations, investigators should seize the whole system, after requesting to do so in the affidavit. Investigators seizing whole systems should justified it by wording their affidavits in such a way so as to refer to the computer as a "system", dependant on set configurations to preserve "best evidence" in a state of original configuration. This can and often does include peripherals, components, manuals, and software. In addition to the above, investigators should make every effort to lessen the inconvenience of an on-site search. Some estimates of manual data search and analyses are 1 megabyte for every 1hour of investigation work. Based on this equation, a 1-Gigabyte hard drive can take up to 1000 hours to fully examine. This equation assumes that each piece of data is decrypted, decoded, compiled, read, interpreted and printed out. The field of computer forensics also has sub branches within it such as:
3.7 Firewall Forensics:_________________________________

You will need to conduct a forensics analysis using your firewall logs at some point. The underlying objective of a forensic analysis is trying to determine what happened and to establish facts that can be used in court. If you have never reviewed the firewall logs previously, this can be a costly and almost insurmountable process because you do not necessarily have any idea what may or may not be a normal event for the firewall. Performing a forensic analysis is generally an extremely time-consuming and expensive process because in many cases it is much like trying to find a needle in the haystack. You may know what was done, but you do not know necessarily when or how it was done, which can make it tricky indeed to be successful. This is compounded by the fact that you need to gather evidence from the earliest moment possible to establish exactly what transpired. Because of the potentially sensitive nature of forensic analysis, it is a good idea to use tools that can assist in performing the forensics analysis or to bring in experts who have special training in exactly what should and should not be done. This is where tools like NetIQ Security Manager and Cisco CS-MARS come in particularly handy, because they include built-in correlation, query, and reporting functionality that is particularly suited to this kind of situation. For example, Figure 3.1 illustrates a forensic analysis report from NetIQ Security Manager.
Figure 3.1 NetIQ Security Manager Forensic Analysis Report

On the surface, the firewall denying traffic is not necessarily something to be concerned about. However, by looking at the data (for example the data in Figure 3.1 with a bit more of a critical eye, the traffic is all originating from the same source (10.1.1.200) to the same destination (10.1.1.2) on a whole slew of different port numbers.
10
This is a classic example of a reconnaissance attack; the attacker is running a port scan in an attempt to determine which ports are open and thereby gain information about the kinds of applications that may be running on those ports. For example, if TCP port 80 is open, it is safe bet that a web server is running on that port, and attackers can begin customizing their attack to determine with certainty that yes indeed a web server is running. This information can then be used to determine the methods of attack that may be successful against the targeted host.
3.8 The Value (or Not) of IP Addresses____________________

One pitfall to keep in mind when you review your firewall logs is that just because the logs report that a certain IP address attempted to connect, that does not necessarily mean that IP address was indeed responsible. IP addresses can be spoofed relatively easily. That is not to say that spoofing addresses and actually doing something malicious as a result is a trivial process, which is a frequent misconception regarding IP address spoofing. Although it is easy to spoof an IP address, it is not easy to pull off an attack while spoofing addresses. Think of it like this, if the attacker needs to get some information as a part of the attack, and he is spoofing his IP address, the information is going to be sent to the spoofed IP addresswhich means that in general it is not going to the attacker. Figure 3.2 illustrates how attackers may spoof their IP address.
Figure 3.2 How Spoofing Works

In the example in Figure 3.2, the attacker builds packets with a source IP address of 209.165.201.1 (the IP address of the innocent victim) to transmit to the firewall. When the firewall receives the data, it logs the packets as coming from 209.165.201.1 because that is what the source IP address of the packet is. In reality, the packet came from the attacker, but the firewall has no way of knowing that.
11
In fact, if the firewall needs to respond to any of the traffic that it received, it will actually attempt to connect to the innocent victim, which could well cause alerts to be generated by the folks who monitor and manage that computer. This is also a good reason it is a bad idea (and in many cases is illegal) to launch retributive strikes against systems that you think may be attacking your systems. If that were to occur in this case, you have gone from being the good guy to attacking someone who was not even involved in the security incident. Where spoofing is particularly effective, however, is when the attacker does not necessarily need a response to the data that he sent (for example, when trying to flood the firewall with bogus data), such as when performing attacks that are based on connectionless protocols such as UDP and ICMP. For example, if an attacker attempts to spoof using TCP and is not blocking traffic between the firewall and the innocent victim, when the innocent victim receives a packet based on the spoofed connection, the innocent victim will send a TCP reset because it is not aware of the connection in question. This is one of the reasons that spoofing using TCP (or any connection-oriented protocol) is difficult to successfully pull off. The bottom line when it comes to the IP addresses that are logged is that after you have what you suspect is the IP address of the system that was involved in the security incident, you still need to perform a more detailed investigation to ensure that the IP address in question was really involved, and that the attacker was not spoofing his IP address in an attempt to mask his trail. One method of identifying this is TCP resets from the innocent victim in your firewall logs.
3.9 Deciphering Port Numbers__________________________

Like IP addresses, port numbers are not an absolute guarantee of what application or service may have been running. For example, many applications can run on any port that is configured, allowing things such as peer-to-peer file sharing to use a port such as TCP port 80 for communications, which will frequently allow the application to bypass most packet filtering firewalls (but not necessarily application proxy or application-aware inspection) because TCP port 80 is frequently permitted through the firewall. The lists of default TCP and UDP port numbers, IP protocol numbers, and ICMP message types are managed by the Internet Assigned Numbers Authority (IANA) and can be accessed as follows:
TCP and UDP port numbers http://www.iana.org/assignments/port-numbers IP protocols http://www.iana.org/assignments/protocol-numbers ICMP message types http://www.iana.org/assignments/icmp-parameters
Again, although you will need to do additional verification to ensure that the ports logged are actually running the applications and services that are claimed, these lists provide at least an initial starting point from which to begin the investigation.
12
3.10 Securing the Firewall______________________________

An important result of performing a forensic analysis is to use that information to determine what needs to be done in the future to secure the firewall. As you identify what transpired and how the incident occurred, use that information to identify flaws in both the written security policy of the organization as well as the actual firewall policy and ruleset. For example, if an attacker was able to compromise a resource on a DMZ segment and then use that resource to gain access to the firewall, that is probably a good indication that access to the firewall from that resource (or from the entire DMZ for that matter) should probably not be permitted.
3.10.1 How to configure the new Windows Server 2008 advanced firewall MMC snap-in
How to configure the new Windows Server 2008 advanced firewall MMC snap-in. Since its inception, the Windows Server 2003 SP1 firewall has been a basic, inbound-only, host based, stateful firewall. With Windows Server 2008, the built-in firewall has been dramatically improved. Let's find out how the new advanced firewall can help you and how to configure it using the MMC snap-in.
3.10.2 Why should you use the Windows host-based firewall?

Many companies today secure their network using the "hard outer shell / gooey center" approach. What this means is that they create a strong perimeter around their network with firewalls and IPS systems, protecting themselves from malicious attackers on the Internet. However, if an attacker could penetrate the outer perimeter and gain access to the internal network, there would only be Windows authentication security to stop them from gaining access to the company's most valuable assets - their data. This is because most IT Pros don't secure their servers with host-based firewalls. Why is that? We see host-based firewalls as being "more trouble than they are worth". After reading this article, I hope that many of you will take a second look at the Windows host-based firewall. With Windows Server 2008, the host-based firewall is built in to Windows, is already installed, now has more features, and is now easier to configure. Plus, it is really one of the best ways to secure a crucial infrastructure server. So, what can the Windows Server Advanced firewall do for you and how do you configure it? Lets find out.
3.10.3 What does the new advanced firewall offer & how can it help you?
New with Windows Server 2008, the built-in firewall is now advanced. And it isnt just me saying that, Microsoft now calls it the Windows Firewall with Advanced Security (lets abbreviate that as WFAS). Here are the new features that help justify that new name: New GUI interface an MMC snap-in is now available to configure the advanced firewall. Bi-directional filters outbound traffic as well as inbound traffic.
13
Works better with IPSEC now the firewall rules and IPSec encryption configurations are integrated into one interface. Advanced Rules configuration you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts & groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the Windows Server. With the addition of being a bi-directional firewall, a better GUI, and advanced rules configuration, the Windows Advanced firewall is bordering on being as good as traditional host-based firewalls (like ZoneAlarm Pro, for example). I know that the first concern of any server admin in using a host-based firewall is: what if it prevents critical server infrastructure apps from functioning? While that is always a possibility with any security measure, WFAS will automatically configure new rules for any new server roles that are added to the server. However, if you run any nonMicrosoft applications on your server that need inbound network connectivity, you will have to create a new rule for that type of traffic. By using the advanced windows firewall, you can better secure your servers from attack, your servers from attacking others, and really nail down what traffic is going in and out of your servers. Lets see how it is done.
3.10.4 What are the options for configuring Windows Firewall with Advanced Security?
Previously, with Windows Server, you could configure the Windows firewall when you went to configure your network adaptor or from the control panel. The configuration was very basic. With Windows Firewall with Advanced Security (WFAS), most admins will configure the firewall either from Windows Server Manager or the MMC with only the WFAS snap-in. Here is what they both look like:
14
Figure 3.3: Windows 2008 Server Manager
Figure 3.4: Windows 2008 Firewall with Advanced Security MMC only
15
The quickest & easiest way to start the WFAS MMC is to just type firewall in the Start menu Search box, like this:
Figure 3.5: Windows 2008 Firewall with Advanced Security MMC only There is also a new netsh advfirewall CLI option for configuring WFAS.
3.10.5 What can I configure using the new WFAS MMC Snap-in?
Because there are so many possible features you can configure with the new WFAS MMC snap-in, I cant possibly cover them all. If you have ever seen the configuration GUI for Windows 2003 built-in firewall, you will quickly notice how many more options there appear to be with WFAS. However let me hit on a few of the most frequently used. When you first go into the WFAS MMC snap in, by default, you will see that WFAS is ON and blocking inbound connections that dont have a matching outbound rule. In addition, the new outbound firewall is turned off. Something else you will notice is that there are also different profiles for WFAS (see Figure 3.5 below).
16
Figure 3.6: Profiles now available in Windows 2008 Firewall with Advanced Security There is a domain profile, private profile, and public profile for WFAS. What these different profiles allow you to do is take the many inbound & outbound rules you may have and apply that group of firewall rules to your computer based on where your computer is connected to the network (say the corporate LAN vs. the local coffee shop). Out of all the improvements we have talked about with WFAS, in my opinion, the most significant improvement is the more sophisticated firewall rules. Take a look at the Windows 2003 Server Firewall option to add an exception (a rule), in Figure 3.6.
17
Figure 3.7: Windows 2003 Server Firewall Exception window Now, lets compare that to Windows 2008 Server:
18
Figure 3.8: Windows 2008 Server Advanced Firewall Exception window Notice how the Protocols and Ports tab is just a small part of the multi-tabbed window. You can also configure rules to apply to Users & Computers, Programs and Services, and IP address Scopes. With this type of sophisticated firewall rules configuration, Microsoft has pushed WFAS more toward Microsofts IAS server. The number of default rules offered by WFAS is truly amazing. In Windows 2003 Server, there were the 3 default exceptions (rules). Not so in Windows Server. WFAS offers about 90 default inbound firewall rules and at least 40 default outbound rules WOW!
19
Figure 3.9: Windows 2008 Server Advanced Firewall Default Inbound Rules
3.10.6 How to Create an Inbound Custom Firewall Rule

So how do you create a rule using the new Windows Advanced Firewall? Lets step through it. Say that you have installed Apache web server for Windows on your Windows 2008 Server. If you had used IIS, built-in with Windows, the port would have been automatically opened for you. However, as you are using a third party web server and you have the inbound firewall enabled, you must manually open the port. Here are the steps to follow: Identify the protocol you want to filter in our case, it is going to be TCP/IP (as opposed to UDP/IP or ICMP) Identify the source IP address, source port number, destination IP address, and destination port number our web traffic will be coming from ANY IP address and any port number, going to this server, on port 80. (note that you could also create a rule for a certain program, such as the apache HTTP Server). Open the Windows Firewall with Advanced Security MMC Add the Rule - Click on the New Rule button in Windows Firewall with Advanced Security MMC to bring up the New Inbound Rule Wizard 20
Figure 3.10: Windows 2008 Server Advanced Firewall MMC new rule button Select that you want to create a rule for a port Configure protocol & port number take the default of TCP and enter the port number as 80 and click Next. Take the default of allow this connection & click Next. Take the default of applying this rule to all profiles & click Next. Give the rule a name and click Finish. At this point, you should have a rule that looks like this:
Figure 3.11: Windows 2008 Server Advanced Firewall MMC after rule was created I tested that my newly installed Apache web server would not work when just installed with the firewall enabled. However, after the rule, it works great!
3.10.7 Basic Firewall Configuration in Linux OS

Just as a firewall in a building attempt to prevent a fire from spreading, a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer. A firewall exists between your computer and the network. It determines which services on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Linux system with an Internet connection. During the Firewall Configuration screen of the Red Hat Linux installation, you were given the option to choose a high, medium, or no security level as well as allow specific devices, incoming services, and ports. These levels are based on the GNOME Lokkit firewall configuration application. After installation, you can change the security level of your system by using GNOME Lokkit. GNOME Lokkit allows you to configure firewall settings for an average user by constructing basic ipchains networking rules. Instead of having to write the rules, this program asks you a series of questions about how you use your system and then writes it for you in the file /etc/sysconfig/ipchains.
21
You should not try to use GNOME Lokkit to generate complex firewall rules. It is intended for average users who want to protect themselves while using a modem, cable, or DSL Internet connection. To configure specific firewall rules, refer to the Firewalling with iptables chapter in the Official Red Hat Linux Reference Guide. To start GNOME Lokkit, type the command gnome-lokkit at a shell prompt as root. If you do not have the X Window System installed or if you prefer a text-based program, use the command lokkit to start the text-mode version of GNOME Lokkit.
3.10.8 Basic
Figure 3.12 Basic After starting the program, choose the appropriate security level for your system: High Security This option disables almost all network connects except DNS replies and DHCP so that network interfaces can be activated. IRC, ICQ, and other instant messaging services as well as RealAudioTM will not work without a proxy. Low Security This option will not allow remote connections to the system, including NFS connections and remote X Window System sessions. Services that run below port 1023 will not accept connections, including FTP, SSH, Telnet, and HTTP. Disable Firewall This option does not create any security rules. It is recommended that this option only be chosen if the system is on a trusted network (not on the Internet), if the system is behind a larger firewall, or if you write your own custom firewall rules. If you choose this option and click Next, proceed to the Section called Activating the Firewall. The security of your system will not be changed. 22
3.10.9 Local Hosts

If there are Ethernet devices on the system, the Local Hosts page allows you to configure whether the firewall rules apply to connection requests sent to each device. If the device connects the system to a local area network behind a firewall and does not connect directly to the Internet, select Yes. If the Ethernet card connects the system to a cable or DSL modem, it is recommended that you select No.
Figure 3.13 Local Hosts
3.10.10 DHCP
If you are using DHCP to activate any Ethernet interfaces on the system, you must say Yes to the DHCP question. If you say no, you will not be able to establish a connect using the Ethernet interface. Many cable and DSL Internet providers require you to use DHCP to establish an Internet connection.
23
Figure 3.14 DHCP
3.10.11 Configuring Services

GNOME Lokkit also allows you to turn common services on and off. If you answer Yes to configuring services, you are prompted about the following services: Web Server Choose this option if you want people to connect to a Web server such as Apache running on your system. You do not need to choose this option if you want to view pages on your own system or on other servers on the network. Incoming Mail Choose this option if your system needs to accept incoming mail. You do not need this option if you retrieve email using IMAP, POP3, or fetchmail. Secure Shell Secure Shell, or SSH, is a suite of tools for logging into and executing commands on a remote machine over an encrypted connection. If you need to access your machine remotely through ssh, select this option. Telnet Telnet allows you to log into your machine remotely; however, it is not secure. It sends plain text (including passwords) over the network. It is recommended that you use SSH to log into your machine remotely. If you are required to have telnet access to your system, select this option.
3.10.12 Activating the Firewall

Clicking Finish on the Activate the Firewall page will write the firewall rules to /etc/sysconfig/ipchains and start the firewall by starting the ipchains service. It is highly recommended that you run GNOME Lokkit from the machine, not from a remote X session. If you disable remote access to your system, you will no longer be able to access it or disable the firewall rules. 24
Click Cancel if you do not want to write the firewall rules.
3.10.13 Mail Relay

A mail relay is a system that allows other systems to send email through it. If your system is a mail relay, someone can possibly use it to spam others from your machine. If you chose to enable mail services, after you click Finish on the Activate the Firewall page, you will be prompted to check for mail relay. If you choose Yes to check for mail relay, GNOME Lokkit will attempt to connect to the Mail Abuse Prevention System website at http://www.mail-abuse.org/ and run a mail relay test program. The results of the test will be displayed when it is finished. If your system is open to mail relay, it is highly recommended that you configure Sendmail to prevent it.
3.10.14 Activating the ipchains Service

The firewall rules will only be active if the ipchains service is running. To manual start the service, use the command:
/sbin/service ipchains restart
To ensure that it is started when the system is booted, issue the command:
/sbin/chkconfig --level 345 ipchains on
3.11 Network Forensics:________________________________

(http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci859579,00.html) Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. According to Simson Garfinkel, author of several books on security, network forensics systems can be one of two kinds: "Catch-it-as-you-can" systems, in which all packets passing through certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system. "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic. Both approaches require significant storage and the need for occasional erasing of old data to make room for new. The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis. One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information (including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission, for limited operations monitoring, or under a court order. The U.S. FBI's Carnivore is a controversial example of a network forensics tool. Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs). (http://www.oreillynet.com/lpt/a/1733)
25
3.12 Build a Monitoring Workstation______________________

In many ways, a system that you would use for monitoring a computer network looks a lot like any other high-end Windows or UNIX workstation. Most run on a standard Intelbased PC and capture packets with an Ethernet interface running in promiscuous mode. "Catch it as you can" systems immediately write the packets to a disk file, buffering in memory as necessary, and perform analysis in batches. As a result, these systems need exceptionally large disks -- ideally RAID systems. "Stop, look and listen" systems analyze the packets in memory, perform rudimentary data analysis and reduction, and write selected results to disk or to a database over the network. Of course, no matter which capture methodology is employed, the disks eventually fill up, so all of these systems have rules for erasing old data to make room for new data. How much attention you need to give the hardware you use for network monitoring depends to a large extent on the complexity of your network, the amount of data at the points you wish to monitor, and how good a job you want to do. If you are trying to capture packets as they travel over a 384kbps DSL link, a 66Mhz 486 computer will do just fine. If you are trying to make extended recordings of every packet that goes over a fully-loaded gigabit link, you will find it quite a challenge to build a suitable capture platform and disk farm. To explore the differences between different operating systems and hardware platforms, lets take two identically-configured Pentium III-based dual-processor systems with removable disk drives. Set up one system as a packet generator using a program that transmitted individually serialized Ethernet packets of varying sizes. Set up the second system with rudimentary capture software -- either tcpdump on the UNIX systems, or windump for Windows. Then write an analysis package that examined the recorded dump files and calculated both the percentage of dropped packets and the longest run of dropped packets under varying network load. By holding the processor, bus, and Ethernet cards constant and loading different operating systems onto different hard disks, we will be able to determine effects of different operating systems on overall capture efficiency. Once we found the best operating system, we will be able to swap around Ethernet adapters and disable the second CPU to determine the effects of different hardware configurations. The results of this testing will be more reassuring than surprising. Over the six operating systems tested, FreeBSD had the best capture performance and Windows NT had the worst. Under FreeBSD, we found that Intel's EtherExpress cards had the best packet capture performance. Finally, we found that FreeBSD did a somewhat better job capturing packets when run with a single processor than when run with two processors, although if additional analysis work was being done at the same time on the same computer, having two processors was vastly preferable. The reason for this is that no process can dominate both processors at the same time, and thus one processor ends up doing packet capture, and the other processor ends up doing analysis. We could use the results of this testing to choose the hardware configuration for its NetIntercept appliance, although the results are applicable to any organization setting up a monitoring system. Of course, for many installations the choice of hardware and software will largely be determined by available equipment, training, and the supported hardware or software of the monitoring software to be used. 26
For example, organizations with significant Linux experience will almost certainly prefer using Linux-based operating systems for their packet capture systems, rather than acquiring experience with FreeBSD. And unless you are on a heavily loaded 100BaseT network, the overall packet capture differences between FreeBSD and Linux are probably irrelevant. If you intend to record most or all of the traffic moving over your network, you need to spend as much time thinking about your disk subsystem as your processor and Ethernet card. Last year Sandstorm spent several months comparing IDE drives with the UDMA100 interface to SCSI LVD-160 drives. We also explored a variety of RAID systems. The conclusion: today's IDE drives are significantly faster than SCSI drives costing two or three times more per gigabyte stored. This is not the result we were expecting, and it goes directly against the conventional wisdom that says SCSI is inherently better than IDE. Nevertheless, it does seem to be the ugly truth, at least for straightforward read/write tests in a single-user environment. Although we saw the highest performance with a hardware-based RAID 5 system manufactured by Advanced Computer & Network Corporation, we saw nearly the same performance with a RAID 5 system based on the 3Ware Escalade 7000 RAID controller. Long-term storage of captured data is another problem entirely. Although you can build a terabyte RAID system for less than $2,000, backing this system up will set you back $4,000 for the AIT II tape drive and $120 for each 100GB cartridge. Absent extraordinary requirements, most users will elect not to back up their capture disks, and instead archive specific capture runs to CD-R or DVD-RAM drives.
3.13 Analyzing the Data________________________________

After you've taken measures to collect the information, your next big decision will be the analysis tools that you can bring to the table. If you have built your own system, your primary analysis tools will be tcpdump and the strings command. You can use tcpdump to display the individual packets or filter a few packets out of a large data set. The strings command, meanwhile, will give you a rough transcript of the information that passed over the network. Snort will allow you to define particular conditions that generate alarms or traps. If you purchase a commercial system, your analysis will be pretty much limited to the capabilities the system provides. That's OK, though, because analysis is really the strength of the commercial offerings. In a world in which strong encryption was ubiquitous, the monitoring performed by these network forensics systems would be restricted to what's called "traffic analysis" -- every IP packet contains the address of its destination and the address of its sender. By examining the flow of packets over time, it's possible to infer when a person is working, who they are communicating with, what Web sites they are visiting, and other sorts of tantalizingly vague information. Traffic analysis is the stuff that a lot of military intelligence is built upon, and it can be very powerful. Unfortunately, we do not live in a world in which strong encryption is ubiquitous. Largely as a result of the U.S. government's war on encryption in the 1980s and 1990s, the vast majority of personal, sensitive, and confidential information sent over the Internet today is sent without encryption, open to eavesdropping, analysis, and misuse.
27
Using a network forensics tool you can spy on people's email, learn passwords, determine Web pages viewed, even spy on the contents of a person's shopping cart at Amazon.com. The tremendous power these systems have over today's networks makes them subject to abuse. If you install a monitoring system, you should have a policy regarding who has access to use the system, under what circumstances it should be used, and what can be done with the information collected. In fact, you should have such policies even if you do not install an NFAT, since every UNIX workstation is a potential network wiretapping tool. Indeed, none of these network forensics tools -- not even the FBI's Carnivore -- provide capabilities that are fundamentally new. Back in the 1980s, packet capture programs were available for DOS and UNIX. Using these programs, it was possible to eavesdrop on people's email, learn passwords sent without encryption, and otherwise covertly monitor information sent over networks. This vulnerability to covert monitoring is a fundamental property of most communications systems, including telegraph wires, longrange microwave links, and even semaphore. But while monitoring was always possible in a networked environment, NFAT tools make monitoring considerably easier than ever before. On a gigabit network it is simply not possible for a human to examine each passing packet to see if it contains useful information. The power of these tools is their ability to rapidly distill down a large data set into manageable chunks. As such, these systems are a double-edged sword for security and privacy. On the one hand, a powerful NFAT makes it possible to put a spotlight on a particular subject. You can, for example, covertly monitor all of the email messages sent between a pair of users. But on the other hand, these systems also make it possible to conduct surveillance of a network being used by thousands of people and limit the information captured and disclosed to external intrusions, system glitches, or one or two individuals under surveillance. Of course, this selective capability makes it far more likely that these surveillance capabilities will actually be used. For example, in 1996 the FBI obtained its first Internet search warrant for the Internet backbone at Harvard University. The FBI was investigating a series of computer breakins all over the world; they were all originating at Harvard from a variety of different machines belonging to the faculty of Arts and Sciences. But rather than record the contents of every TCP/IP connection, which would have subjected Harvard's entire community to unacceptable monitoring, the FBI used a program called I-Watch (developed by the Automated Systems Security Incident Support Team at the Defense Information Systems Agency in Washington, D.C.) that could be programmed to only capture TCP/IP connections that contained a particular keyword. It turned out that the hacker was breaking into other computers and setting up a program called "sni256." So by only recording TCP/IP connections that contained the letters "sni256," the FBI was able to restrict the data collection to those TCP/IP connections made by the attacker. (As it turns out, during the monitoring period, two other TCP/IP connections belonging to legitimate users contained the same keyword and were inadvertently captured.) 28
Ultimately, the monitoring capabilities made possible by an NFAT are not a tremendously big deal to anyone who has spent time working as a system administrator, since these are exactly the same sort of capabilities granted to a person with UNIX "root" or Windows System Administrator privileges. Most system administrators regard being able to read people's email and look into their files more as an unwanted responsibility than a right. It is a necessary capability that occasionally needs to be used, but generally administrators have better things to do than to nose around through other people's business. And while there are exceptions, generally people who abuse positions of trust do not retain those positions. From a legal point of view, your right to monitor (or to be free from monitoring) depends on who you are, where you are working, and who is doing the monitoring. Corporations generally have free rein to monitor their own networks, provided that employees and network users are told in advance that the monitoring may be taking place. (It is not necessary to inform the employees before each specific instance of monitoring, however, so most corporations generally inform their employees with a posted policy and leave it at that.) ISPs are required under the Electronic Communications Privacy Act (ECPA) to protect the privacy of their customers' electronic communications -- they can't eavesdrop on communications or disclose intercepted contents -- unless one of the parties to the communication has given consent, or if the monitoring is needed to maintain system operations, or in cases of a court-authorized intercept. Generally speaking, most ISPs require their users to give implicit consent to any and all monitoring as part of their "terms of service" agreement, so for most practical purposes the ECPA doesn't give ISP users any privacy at all. Law enforcement agencies have the right to monitor without the consent or the knowledge of the individuals being monitored, provided they can obtain authorization from a court. However, they have the added restriction of minimization -- they can only capture and record information specified in their warrant. Today there is gaping disconnect between the level of privacy that most users expect and what is both technically possible and legal. That is, most users expect that their computer use is largely anonymous and untracked. At the same time, computers are getting better at monitoring, more products are being introduced specifically for the purpose of monitoring, and legislation such as the USA PATRIOT Act is making monitoring even easier than it was in the past.
3.14 Firewall Log Analysis and Management_______________

3.14.1 Comprehensive Analysis of Firewall Logs
Firewall logs reveal a lot of information on the nature of traffic coming in and going out of the firewall, allows you to plan your bandwidth requirement based on the bandwidth usage across the firewalls. Analyzing these firewall traffic logs is vital to understanding network and bandwidth usage and plays an important role in business risk assessment. Firewall Analyzer offers many features that help in collecting, analyzing and reporting on firewall logs.
29
Firewall Analyzer supports: Check Point Log Analysis Cisco Device Log Analysis CyberGuard Log Analysis Fortigate Log Analysis Microsoft ISA Log Analysis NetScreen Log Analysis SonicWALL Log Analysis WatchGuard Log Analysis and many others
3.14.2 Automatic Firewall Detection

Simply configure your firewall to export logs to Firewall Analyzer. Firewalls are then automatically detected and reports are generated instantly. For all firewalls that support exporting logs in WELF format, this is the best configuration option.
3.14.3 Firewall Log Import

In the case of Squid proxy servers, and firewalls that do not export logs in an acceptable format, you can import log files directly from Firewall Analyzer and generate reports for the same.
3.14.4 Firewall Log Archiving

Logs received from firewalls, squid proxy servers, and Radius servers, are archived at specific intervals. You can load these log archives into the database at any time, and generate reports for specific activity. However, log archiving takes up disk space, so you can disable this option at any time.
3.14.5 Specific Check Point Settings

Firewall Analyzer lets you add LEA servers to establish connections and retrieve logs from Check Point firewalls. You can add as many LEA servers as needed, and set up authenticated or unauthenticated connections to retrieve firewall logs.
3.14.6 Embedded Syslog Server

Firewall Analyzer comes pre-bundled with a syslog server that listens for exported firewall logs at the defined listener ports. You can add more listener ports to this syslog server, in order to collect logs from different firewalls. The syslog server is a part of Firewall Analyzer and does not require a separate installation.
3.14.7 Exporting and Importing Report and Alert Profiles

Firewall Analyzer provides an easy way of saving the report and alert profiles. You can export the profiles and save it. You can import the profiles to get the profiles back. This will come handy in case of exigencies like when you are moving the server to a different machine etc. You can also save the exported profiles file. 30
3.15 Network Forensics Tools:__________________________

(http://www.networkcomputing.com/data-protection/network-forensic-tools.php) 1. Forensic ToolKit 2. AccessData Corp. 3. Email Examiner 4. Encase 5. Guidance Software 6. Paraben Corp 7. ProDiscover 8. Sleuth Kit 9. Tech-nology Pathways 10. chain of custody 11. dtSearch 12. dtSearch Corp 13. evidence 14. hash 15. incident investigation 16. intellectual property theft 17. le-gal team 18. network forensics 19. network penetration 20. Access and Physical Security 21. Cyberterrorism 22. Data Protection 23. Other, Security Policies and Management, Security and Privacy, Software, Software and Web Development, Threats and Attacks, information security
3.16 Database Forensics:_______________________________

Database Forensics is a computer science term referring to the forensic study of databases. It means the Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system. Computer forensics principles can be applied to a database, which is a persistent data store, often relational. For example the timestamps that apply to the update time of a row in a relational table can be inspected and tested for validity in order to verify the actions of a database user. Additionally copies of database evidence can be made in order to preserve that evidence for future presentation during a legal process. The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk. A documentation of standards used to encode information in well known brands of DB such as SQL Server and Oracle has been contributed to the public domain. According to one recent Forrester study, 80 percent of data security breaches involve insiders, employees or those with internal access to an organization, putting information at risk. The big challenge for companies today particularly as email and the Internet make sharing and distributing corporate information easier than ever - is to strike the right balance between providing workers with appropriate access and protecting sensitive information as much as possible.
31
For example, database users traditionally are assigned a database administrator (DBA) role or granted multiple system privileges. As well, DBAs enjoy unbridled system access in order to manage companies IT infrastructure 24/7 and to respond to emergency situations. As companies continue to consolidate databases and streamline operations to maximize both efficiency and the protection of data from external threats, this user- and role-based security model no longer complies with need-to-know security best-practices. Nor does the model meet SOX or PIPEDA regulatory requirements for adequate protection of data privacy. Today, to help ensure the safety, integrity and privacy of corporate information, more companies are pursuing a comprehensive, multi-factored security approach.
3.16.1 A multi-factored security model

What exactly is a multi-factored security approach? Simply put, this approach is built on the defense-in-depth principle, which introduces multiple mechanisms to augment the traditional user and role security model. That means controls, restrictions and boundaries are set up so that even employees with database access privileges cannot freely use, alter or export sensitive information. These mechanisms can be grouped into four categories: realms, rules, roles and policies.
3.16.2 Realms
Realms are established to encapsulate within a protection zone an existing application or set of database objects. One advantage of a consolidated database is the elimination of information silos and increased economies of scale. At the same time, however, information contained within a single database may require different levels of protection. By segmenting a database into mini-virtual private databases, employees can gain access only to the information that is pertinent to their jobs. Companies, in turn, can conveniently monitor and control the use of sensitive information and retrieve data usage records for auditing as required.
3.16.3 Rules
Rules further restrict operations based upon specific requirements and needs. This is accomplished using environmental or domain-specific decision factors such as database, machine, IP addresses, time-of-day and authentication modes. For example, an organization can prevent an administrator from making changes to a database system from outside of the corporate intranet or when working outside of normal business hours. Such rules are becoming more crucial as employees increasingly require remote access to corporate information. Organizations cannot control the security standards of external networks, so the best defense is to restrict select information traffic over pre-approved IP addresses.
3.16.4 Roles
As companies adjust their organizational structure to meet new or rapidly evolving business needs, they need to ensure that employee access to information complies with their specific roles and responsibilities. For example, for large enterprises, the role of database administration and security administration should ideally be separated. All Rights Reserved. www.sedulitygroups.com 32
Not only should database administrators have limited or no access to sensitive information that is irrelevant to their duties, such as employees personal records, security administrators need to be empowered to restrict such access, according to corporate security policy. At the same time, a security administrator and a database administrator can share the responsibility of managing sensitive information. Tools need to be in place so that the security administrator can prevent the database administrator from intentionally or accidentally altering or destroying data assets.
3.16.5 System Policies

The schema of a database defines the structure and the type of contents that each data element within the structure can contain. Thanks to new database security technologies, restrictions can now be set by security administrators to prevent employees with access to sensitive information from modifying the schema. By separating the schema and data management within a database system, the policy further supports the separation of duties principle, allowing DBAs to perform their database management duties while leaving the security administrator to protect the database infrastructure. Striking a correct and efficient balance between employees needs, corporate security policies and required workflow practices is often a moving target. Changing business needs, evolving technologies, emerging regulations and shifting economic pressures exert a real and constant impact on every organization. Success in business is about change and for that reason, a multi-factored security model, supported by comprehensive policies and the appropriate technologies, is increasingly being seen today as the best defense that an enterprise can deploy to protect itself and its reputation. Database security is the system, processes, and procedures that protect a database from unintended activity. Unintended activity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. Database security is also a specialty within the broader discipline of computer security. Traditionally databases have been protected from external connections by firewalls or routers on the network perimeter with the database environment existing on the internal network opposed to being located within a demilitarized zone. Additional network security devices that detect and alert on malicious database protocol traffic include network intrusion detection systems along with host-based intrusion detection systems. Database security is more critical as networks have become more open. Databases provide many layers and types of information security, typically specified in the data dictionary, including: Access control Auditing Authentication Encryption Integrity controls Database security can begin with the process of creation and publishing of appropriate security standards for the database environment. The standards may include specific controls for the various relevant database platforms; a set of best practices that cross over the platforms; and linkages of the standards to higher level polices and governmental regulations.
33
3.16.6 Vulnerability Assessments and Compliance

An important procedure when evaluating database security is performing vulnerability assessments against the database. A vulnerability assessment attempts to find vulnerability holes that could be used to break into the database. Database administrators or information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software. The results of the scans should be used to harden the database in order to mitigate the threat of compromise by intruders. A program of continual monitoring for compliance with database security standards is another important task for mission critical database environments. Two crucial aspects of database security compliance include patch management and the review and management of permissions (especially public) granted to objects within the database. Database objects may include table or other objects listed in the Table link. The permissions granted for SQL language commands on objects are considered in this process. One should note that compliance monitoring is similar to vulnerability assessment with the key difference that the results of vulnerability assessments generally drive the security standards that lead to the continuous monitoring program. Essentially, vulnerability assessment is a preliminary procedure to determine risk where a compliance program is the process of on-going risk assessment. The compliance program should take into consideration any dependencies at the application software level as changes at the database level may have effects on the application software or the application server. In direct relation to this topic is that of application security.
3.16.7 Abstraction
Application level authentication and authorization mechanisms should be considered as an effective means of providing abstraction from the database layer. The primary benefit of abstraction is that of a single sign-on capability across multiple databases and database platforms. A Single sign-on system should store the database user's credentials (login id and password), and authenticate to the database on behalf of the user.
3.16.8 Activity Monitoring

Another security layer of a more sophisticated nature includes real-time database activity monitoring, either by analyzing protocol traffic (SQL) over the network, or by observing local database activity on each server using software agents, or both. Analysis can be performed to identify known exploits or policy breaches, or baselines can be captured over time to build a normal pattern used for detection of anomalous activity that could be indicative of intrusion. These systems can provide a comprehensive Database audit trail in addition to the intrusion detection mechanisms, and some systems can also provide a degree of protection by terminating user sessions and/or quarantining users demonstrating suspicious behavior.
34
3.16.9 Native Audit

In addition to using external tools for monitoring or auditing, native database audit capabilities are also available for many database platforms. The native audit trails are extracted on a regular basis and transferred to a designated security system where the database administrators do not have access. This ensures a certain level of segregation of duties that may provide evidence the native audit trails were not modified by authenticated administrators. Generally, the native audit trails of databases do not provide sufficient controls to enforce separation of duties; therefore, the network and/or kernel module level host based monitoring capabilities provides a higher degree of confidence for forsenics and preservation of evidence.
3.16.10 Process and Procedures

A database security program should include the regular review of permissions granted to individually owned accounts and accounts used by automated processes. The accounts used by automated processes should have appropriate controls around password storage such as sufficient encryption and access controls to reduce the risk of compromise. For individual accounts, a two-factor authentication system should be considered in a database environment where the risk is commensurate with the expenditure for such an authentication system. In conjunction with a sound database security program, an appropriate disaster recovery program should exist to ensure that service is not interrupted during a security incident or any other incident that results in an outage of the primary database environment. An example is that of replication for the primary databases to sites located in different geographical regions. After an incident occurs, the usage of database forensics should be employed to determine the scope of the breach, and to identify appropriate changes to systems and/or processes to prevent similar incidents in the future.
3.17 Testing For SQL Injection Vulnerabilities______________

SQL Injection attacks pose tremendous risks to web applications that depend upon a database backend to generate dynamic content. In this type of attack, hackers manipulate a web application in an attempt to inject their own SQL commands into those issued by the database. For an example, see the article SQL Injection Attacks on Databases. In this article, we take a look at several ways you can test your web applications to determine whether they're vulnerable to SQL Injection attacks.
3.17.1 Automated SQL Injection Scanning

One possibility is using an automated web application vulnerability scanner, such as HP's WebInspect, IBM's AppScan or Cenzic's Hailstorm. These tools all offer easy, automated ways to analyze your web applications for potential SQL Injection vulnerabilities. However, they're quite expensive, running at up to $25,000 per seat.
3.17.2 Manual SQL Injection Tests

Whats a poor application developer to do? You can actually run some basic tests to evaluate your web applications for SQL Injection vulnerabilities using nothing more than a web browser.
35
First, a word of caution: the tests I describe only look for basic SQL Injection flaws. They won't detect advanced techniques and are somewhat tedious to use. If you can afford it, go with an automated scanner. However, if you can't handle that pricetag, manual testing is a great first step. The easiest way to evaluate whether an application is vulnerable is to experiment with innocuous injection attacks that won't actually harm your database if they succeed but will provide you with evidence that you need to correct a problem. For example, suppose you had a simple web application that looks up an individual in a database and provides contact information as a result. That page might use the following URL format:
http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike
We can assume that this page performs a database lookup, using a query similar to the following:
SELECT phone FROM directory WHERE lastname = 'chapple' and firstname= 'mike'
Let's experiment with this a bit. With our assumption above, we can make a simple change to the URL that tests for SQL injection attacks:
http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count(*)+from+fake)+%3e 0+OR+'1'%3d'1
If the web application hasn't been properly protected against SQL injection, it simply plugs this fake first name into the SQL statement it executes against the database, resulting in:
SELECT phone FROM directory WHERE lastname = 'chapple' and firstname='mike' AND (select count(*) from fake)> 0 OR '1'='1'
You'll notice that the syntax above is a little different than that in the original URL. I took the liberty of converting the URL-encoded variable for their ASCII equivalents to make it easier to follow the example. For example, %3d is the URL-encoding for the '=' character. I also added some line breaks for similar purposes.
3.17.3 Evaluating the Results

The test comes when you try to load the webpage with the URL listed above. If the web application is well-behaved, it will strip out the single quotes from the input before passing the query to the database. This will simply result in a weird lookup for someone with a first name that includes a bunch of SQL! You'll see an error message from the application similar to the one below: Error: No user found with name mike+AND+(select+count(*)+from+fake)+%3e0+OR+1%3d1 Chapple! On the other hand, if the application is vulnerable to SQL injection, it will pass the statement directly to the database, resulting in one of two possibilities. First, if your server has detailed error messages enabled (which you shouldn't!), you'll see something like this:
Microsoft OLE DB Provider for ODBC Drivers error '80040e37'
36
[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'fake'. /directory.asp, line 13
On the other hand, if your web server doesn't display detailed error messages, you'll get a more generic error, such as:
3.17.4 Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator to inform of the time the error occurred and of anything you might have done that may have caused the error. More information about this error may be available in the server error log. If you receive either one of the two errors above, your application is vulnerable to SQL injection attack! Some steps that you can take to protect your applications against SQL Injection attacks include: Implement parameter checking on all applications. For example, if you're asking someone to enter a customer number, make sure the input is numeric before executing the query. Limit the permissions of the account that executes SQL queries. The rule of least privilege applies. If the account used to execute the query doesn't have permission to execute it, it will not succeed! Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code.
3.18 Mobile Forensics._________________________________

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This includes full data retrieval and examination of data found on the SIM/USIM, the phone body itself and the optional memory cards. Data retrieved and examined can include images, videos, text or SMS messages, call times and contact numbers. Mobile Phone Forensics or Cell Phone Forensics is improving daily. These services are now commercially available through certain specialist companies, and is no longer reserved for the most high profile murder enquiries, but by individuals checking to see if their partner or lover has been cheating on them, by Human Resources, who need to prove if that phone call was actually taken, or by Private Investigators who are checking to see if the client was where they say they were at a given specific time. Above are of course, just a few of the hundreds of examples of why mobile phone forensics are becoming more and more important in the lives of the military, investigative agencies, (police forces, security agencies, private investigators), human resources and indeed private individuals. These days, along with the computer, mobile phone forensics is the police officers first point of call. Where are you likely to record everything? Where are the records of wrong doings going to be stored? Even if you are not the sort of person to record wrong doings, human nature states that you will tell at least someone. On a computer, they could be stored within your PST file,(Microsoft Outlook personal storage file), your EDB file, (Microsoft Exchange storage file), your NSS, (Lotus Notes), your MSG, (Microsoft Outlook Express), and your EML, (generic email files), amongst others.
37
All these records are kept digitally on various storage devices, be they mobile phone SIM cards, perhaps mobile phone 3G USIM cards, the generic mobile phone memory or internal memory cards; mainly MMC memory cards, but not exclusively. Nowadays, the forensic investigator does not have to solely rely on his mobile phone investigative resources, but has to have a sound knowledge of evidence handling, write-blocking and general computer forensics, to ensure that a full examination of all available data has been achieved for the client in a sound and forensically correct manner. A more recent development in this technology is the cellular transmitter location, which is used to assist agencies in pinpointing the approximate whereabouts of the investigated. This sort of investigation technique was first used in a very high profile case in the United Kingdom, namely the murder of two young girls in a town called Soham called Jessica Chapman and Holly Wells. This technology is relatively new and although proved in a British court of law, does not necessarily mean that it is accepted throughout the world. There are of course downsides to this technology. Simply by passing the mobile phone in question to a colleague or accomplice with a disregard for the law would mean that the phone in question would be in another place at the time of a phone call, and therefore not be at the scene of the crime in question. There is also the problem with Pay-As-You-Go/ Prepaid type of phones, which have no legal tie to the owner. This is something which is still to be addressed.
3.19 DIGITAL FRAUDS_________________________________

Digital Fraud or Computer crime refers to a criminal activity where a computer, laptop, network or other such digital device is utilized for any criminal purposes. A digital device such as a computer or cell phone can be a significant source of evidence, even if it was not used directly for a criminal activity. In some ways a computer is like constantly running video camera an experienced computer forensics investigator can extract digital evidence which shows emails, pictures, deleted files, instant messages and much more all with time and date history. This digital evidence is produced in a manner that will hold up in a court of law. Digital/ Computer Fraud is rampant, as the use of computers becomes part of our daily lives, with greater and greater frequency. The definition of what constitutes computer fraud becomes ever more complex with the ingenuity of people who intend to deceive, misrepresent, destroy, steal information, or cause harm to others by accessing information through deceptive and illegal means. Just as you have to be careful when youre walking down the street, or in your own home when you lock up at night, youve got to be careful of the many examples of computer fraud that will make their way onto your computer.
3.19.1 What is Computer Fraud?

You don't have to be an expert in business marketing to know that E-commerce is here to stay. Throughout the globe, more consumers have discovered the convenience of this system and now feel comfortable purchasing goods and services online. As the internet continues to thrive with technology and millions in sales, the malicious crime of computer fraud has become an issue bigger than the experts ever could have predicted.
38
In modern times, hackers are more than just bored teenagers with a few computer skills. Cyber criminals of today are made up of sophisticated professionals who have chosen to use their talents for fraudulent purposes. These individuals have easy access to advanced software that enables them to remotely manipulate your computer to obtain the sensitive information they seek. To make matters worse, you can be a victim of computer fraud without even knowing your machine has been compromised. In order to protect yourself against this type of fraud, it is important to first learn more about it.
3.19.2 The Basis of Computer Fraud

An internet attacker needs access to your personal information before they are able to victimize you. Many of them use malicious programs known as spyware to obtain it. Spyware is a type of software often used by hackers and legitimate companies. Once installed onto a computer, it has the ability to monitor a user's activity and collect information without their knowledge or consent. Whether you know it or not, your computer automatically stores numerous files that contain your most sensitive data including your name, address, telephone number and email domain. This information is often found in virtual storage units such as your browser history, cache or temporary internet files. A sophisticated piece of spyware can easily retrieve this information and report the details back to the source that launched it. Spyware is typically able get into a system by manipulating a Microsoft technology known as Active X. Active X is a web-based language that adds ease to the process of surfing the internet. This technology makes it possible to view many of your favorite web pages. However, when Active X is manipulated by a cyber criminal, it can then be used to install spyware and other malicious programs onto your system.
3.19.3 From computer to easy theft

Once a criminal has access to your data, they have all the ammunition needed to commit computer fraud. This information can then be used to accrue debt, open accounts and even receive medical benefits in your name. A worst case scenario involves your identity being completely stolen, a growing issue that is quite difficult to rectify. In most cases, victims of identity theft spend months or years attempting to clear their name and repair damaged credit. Until these issues are resolved, you are likely to be refused for credit, mortgage and automobile loans. You may even find yourself in trouble with the law for crimes you didn't commit. Computer fraud has the power to be one of the devastating crimes you'll ever experience. For this reason, protecting the personal data in your computer should be a top priority. This can be done by implementing solid security in the way of firewalls, anti-virus programs and intrusion detection systems. If you plan on discarding a computer, be sure to completely erase the contents of your hard drive. Like the saying goes, "one man's trash is another man's treasure." There are many different legal ramifications for those practicing computer fraud, especially when such practice can be shown to be harmful and physically or financially damaging to others. Most laws make the distinction between a person who knowingly commits fraud and someone who does so accidentally. For instance, passing on a hoax letter about a potential virus is a common trait among new computer users, and isnt really fraudulent.
39
Deliberately generating a hoax letter to scare others is fraud with the intent to at least emotionally harm others. Generally when the a person has intentionally committed a fraudulent act via computer they can be subject to both criminal and sometimes civil prosecution, and at minimum they will pay fines if theyre convicted of minor fraud. At maximum, people who steal information or steal peoples money via computer, either directly or through fraudulent means face jail time and large fines. Types of computer fraud vary and can be complex or simple. Simple types of fraud might include: Sending hoax emails intended to scare people. Illegally using someone elses computer or posing as someone else on the Internet. Using spyware to gather information about people. Emails requesting money in return for small deposits. Pyramid schemes or investment schemes via computer with the intent to take and use someone elses money. Emails attempting to gather personal information to be used to access and use credit cards or social security numbers. Using someone elses computer to access personal information with the intent to use such fraudulently. Using the computer to solicit minors into sexual alliances. Violating copyright laws by copying information with the intent to sell information, like DVDs, CDs. Hacking into computer systems to gather large amounts of information for illegal purposes. Hacking into or illegally using a computer to change information, such as grades, work reports, etc. Sending computer viruses or worms with the intent to destroy or ruin someone elses computer.
3.20 Computer Crimes:_________________________________

Computer crimes are criminal activities, which involve the use of information technology to gain an illegal or an unauthorized access to a computer system with intent of damaging, deleting or altering computer data. Computer crimes also include the activities such as electronic frauds, misuse of devices, identity theft and data as well as system interference. Computer crimes may not necessarily involve damage to physical property. They rather include the manipulation of confidential data and critical information. Computer crimes involve activities of software theft, wherein the privacy of the users is hampered. These criminal activities involve the breach of human and information privacy, as also the theft and illegal alteration of system critical information. The different types of computer crimes have necessitated the introduction and use of newer and more effective security measures.
3.20.1 Types of computer crime:

The different types of computer crimes involve an illegal exploitation of the computer and communication technology for criminal activities. While the advancing technology has served as a boon to mankind, the destructively directed human intellects are all set to turn technology into a curse. 40
However, crimes are sure to end, as it is truth that always triumphs! Types of the Computer Crimes are as follows: Hacking: The activity of breaking into a computer system to gain an unauthorized access is known as hacking. The act of defeating the security capabilities of a computer system in order to obtain an illegal access to the information stored on the computer system is called hacking. The unauthorized revelation of passwords with intent to gain an unauthorized access to the private communication of an organization of a user is one of the widely known computer crimes. Another highly dangerous computer crime is the hacking of IP addresses in order to transact with a false identity, thus remaining anonymous while carrying out the criminal activities. Phishing: Phishing is the act of attempting to acquire sensitive information like usernames, passwords and credit card details by disguising as a trustworthy source. Phishing is carried out through emails or by luring the users to enter personal information through fake websites. Criminals often use websites that have a look and feel of some popular website, which makes the users feel safe to enter their details there. Computer Viruses: Computer viruses are computer programs that can replicate themselves and harm the computer systems on a network without the knowledge of the system users. Viruses spread to other computers through network file system, through the network, Internet or by the means of removable devices like USB drives and CDs. Computer viruses are after all, forms of malicious codes written with an aim to harm a computer system and destroy information. Writing computer viruses is a criminal activity as virus infections can crash computer systems, thereby destroying great amounts of critical data. Cyberstalking The use of communication technology, mainly the Internet, to torture other individuals is known as cyberstalking. False accusations, transmission of threats and damage to data and equipment fall under the class of cyberstalking activities. Cyberstalkers often target the users by means of chat rooms, online forums and social networking websites to gather user information and harass the users on the basis of the information gathered. Obscene emails, abusive phone calls and other such serious effects of cyberstalking have made it a type of computer crime. Identity Theft This is one of the most serious frauds as it involves stealing money and obtaining other benefits through the use of a false identity. It is the act of pretending to be someone else by using someone else's identity as one's own. Financial identity theft involves the use of a false identity to obtain goods and services and a commercial identity theft is the using of someone elses business name or credit card details for commercial purposes. Identity cloning is the use of another user's information to pose as a false user. Illegal migration, terrorism and blackmail are often made possible by means of identity theft.
41
Data Transfer Theft Thieves can take your personal information by tapping into your phone line outside your house and run the line directly into their own computer. This can often be done without even you knowing it through split lines. Some thieves will even take this a step further. When you're done using your computer and sign off the network, they simply remain online and continue using the system as if it were actually you. Misuse of Computer Time This is one of the most common computer crimes happening all over the country. Public and private employees who, on the taxpayers' or company's time and money, surf the computer or play games without proper authorization. This kind of behavior in many instances is not accepted by supervisors, but there's little way to regulate it. Computer Output Theft This is probably one of the easiest computer crimes today. Thieves steal information that came from your personal or company computer for the sake of finding out secret or personal information. They do this by taking computer printouts, mailing lists, customer lists, and etc. Desktop Forgery This is becoming increasingly common in corporate America. With computer technology and desktop publishing programs, thieves copy official letterhead, documents, passports, birth certificates, cash receipts for personal gain. Wrongful Programming This is a complicated computer crime. Wrongful programming crimes occur when someone alters a computer program and directs it to manipulate information on the network or someone's personal information.
3.21 Steps for Computer Crime Investigation:______________

In order to investigate a cyber crime, a team is commissioned that usually contains members including the case supervisor, interview team, sketch and physical search team, photo team, technical evidence seizure team, logging team and security and arrest team. Some important steps that are followed during an investigation include: Documenting hardware configuration of the affected system. Making copies of relevant logs and data. This includes make bit stream backups of all hard disk drives. Transporting the computer to a secured location so that any potential evidence does not get destroyed or hampered. Authenticating data mathematically on all storage devices in order to prove that no alterations have been done to any of the evidence after the computer was taken into possession. Documenting the date and time associated with computer files when the computer was taken into evidence. A list of keywords needs to be generated in order to facilitate the evaluation of data on a computer hard disk drive. 42
The most critical step in investigating a computer crime is to evaluate the Windows Swap file that contains valuable information. Next important thing is to evaluate the file slack or the data storage area. File slack is a good source to investigate crimes committed through internet. Evaluating of unallocated space provides necessary information about deleted files on the computer. Encrypted, compressed and graphic files should be evaluated manually. Finally, it is important to document findings and issues that have been identified during the computer search.
3.22 Recommendations:________________________________
Even though there are stiff penalties for committing computer fraud, laws governing against it may be difficult to enforce. Some of the email scams for investment opportunities and get rich quick schemes originate outside of the US, and it may be difficult to instigate investigations on foreign soil. Its therefore wise to be wary and commit to the following computer philosophy when youre on the net: Do not give personal information to anyone or to any company youve never heard of before. This includes your full name, your address, your phone number, credit card number, social security numbers, or information about the people in your household. Do not pay attention to get rich quick schemes. If they seem too good to be true, they absolutely are. Do not open emails from strangers. Install anti-viral software and spam blocking programs on your computer and your email program. Dont download attachments from people you dont know. Teach your children about safe communication on the Internet to protect them from Internet predators. Dont keep passwords on your computer, and do not use common passwords like the names of your kids, birthdays, or other guessable words. Never give your password to someone else.
43

Ch3 - Digital Evidence &amp; Frauds

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ch3 - Digital Evidence &amp; Frauds

Uploaded by

Copyright:

Available Formats

Chapter-3

DIGITAL EVIDENCE & FRAUDS

All Rights Reserved. www.sedulitygroups.com

3.1 WHAT IS DIGITAL EVIDENCE?_______________________

All Rights Reserved. www.sedulitygroups.com

3.3 Digital Forensic Examiner Proficiency and Competency Tests

All Rights Reserved. www.sedulitygroups.com

All Rights Reserved. www.sedulitygroups.com

All Rights Reserved. www.sedulitygroups.com

3.4 Imaging Electronic Media (Evidence)__________________

3.5 Collecting Volatile Data_____________________________

3.7 Firewall Forensics:_________________________________

Figure 3.1 NetIQ Security Manager Forensic Analysis Report

All Rights Reserved. www.sedulitygroups.com

3.8 The Value (or Not) of IP Addresses____________________

Figure 3.2 How Spoofing Works

3.9 Deciphering Port Numbers__________________________

All Rights Reserved. www.sedulitygroups.com

3.10 Securing the Firewall______________________________

3.10.2 Why should you use the Windows host-based firewall?

All Rights Reserved. www.sedulitygroups.com

Figure 3.3: Windows 2008 Server Manager

All Rights Reserved. www.sedulitygroups.com

All Rights Reserved. www.sedulitygroups.com

All Rights Reserved. www.sedulitygroups.com

All Rights Reserved. www.sedulitygroups.com

3.10.6 How to Create an Inbound Custom Firewall Rule

3.10.7 Basic Firewall Configuration in Linux OS

3.10.9 Local Hosts

Figure 3.13 Local Hosts

All Rights Reserved. www.sedulitygroups.com

Figure 3.14 DHCP

3.10.11 Configuring Services

3.10.12 Activating the Firewall

Click Cancel if you do not want to write the firewall rules.

3.10.13 Mail Relay

3.10.14 Activating the ipchains Service

3.11 Network Forensics:________________________________

3.12 Build a Monitoring Workstation______________________

3.13 Analyzing the Data________________________________

3.14 Firewall Log Analysis and Management_______________

3.14.2 Automatic Firewall Detection

3.14.3 Firewall Log Import

3.14.4 Firewall Log Archiving

3.14.5 Specific Check Point Settings

3.14.6 Embedded Syslog Server

3.14.7 Exporting and Importing Report and Alert Profiles

3.15 Network Forensics Tools:__________________________

3.16 Database Forensics:_______________________________

3.16.1 A multi-factored security model

3.16.5 System Policies

3.16.6 Vulnerability Assessments and Compliance

3.16.8 Activity Monitoring

All Rights Reserved. www.sedulitygroups.com

3.16.9 Native Audit

3.16.10 Process and Procedures

3.17 Testing For SQL Injection Vulnerabilities______________

3.17.1 Automated SQL Injection Scanning

3.17.2 Manual SQL Injection Tests

3.17.3 Evaluating the Results

All Rights Reserved. www.sedulitygroups.com

3.17.4 Internal Server Error

3.18 Mobile Forensics._________________________________

Ch3 - Digital Evidence & Frauds

Ch3 - Digital Evidence & Frauds