Digital Forensics in Fraud Investigations

People

Networks

Processes

Procedures

K. K. Mookhey, CISA, CISSP, CISM

Principal Consultant NII Consulting
w w w . n i i co n s u l t I n g . c o m

Agenda

Confidential

Computer crime statistics Case studies Internal attacks Introduction to computer forensics Methodology Tools Proactive measures Conclusion

www.niiconsulting.com

CSI/FBI Survey Crime Statistics

Confidential

www.niiconsulting.com

Selected Costs
Sasser:
Clean-up: $1billion+ and growing

SirCam: 2.3 million computers affected

Clean-up: $460 million Lost productivity: $757 million

Code Red: 1 million computers affected

Clean-up: $1.1 billion Lost productivity: $1.5 billion

Love Bug: 50 variants, 40 million computers affected

$8.7 billion for clean-up and lost productivity

Confidential

www.niiconsulting.com

Attack Trends Overview

Automation: increasing speed of attacks Increasingly sophisticated attack tools Faster discovery of vulnerabilities Increasing permeability of firewalls Increasingly asymmetric threats Attacks moving to applications and customized software Due to lack of standard forensics methodology in India, evidence collection is faulty Time gap between a vendor patch, and the virus/worm is now only 17 days!
Confidential www.niiconsulting.com

Case Studies
People Networks

Processes

Procedures

w w w . n i i co n s u l t I n g . c o m

Case study 1
Client was a major telecom company Was receiving very malicious and demoralizing emails from an anonymous email ID The content indicated it was either an insider, or an ex-employee We collected all emails, checked their headers got information about the Internet Service Provider
Confidential www.niiconsulting.com

Investigating email header

SamSpade Demo All emails carry the senders IP address This is used to find out his ISP (Internet Service Provider) The ISPs maintain logs about everyone, and are able to pin-point to the source PC But it could be in a cyber-caf, or an unsuspecting user whos PC the hacker compromised, or some PC in Russia!
Confidential www.niiconsulting.com

Case study 1
Presented information to Cyber Crime Cell They sent formal letters to the concerned ISP and the Mail Service Provider (Indiatimes, Yahoo, Hotmail, Rediffmail, etc.) ISP replied back within 72 hours Mail Service Provider gave access to the senders account ISP information showed the source IP address was of the Internet connection given to a competing telecom company

Confidential

www.niiconsulting.com

Case study 1
We collected a list of all separations from the client for the period covering the emails Took the list to the competitor along with the Cyber Crime Cells Sub-inspector They told us one name matched that list the lady had joined them recently That person was the actual sender Called in for gentle persuasion a confession Client chose not to pursue a legal case, but let her off with a stern warning

Confidential

www.niiconsulting.com

Case study 2
Cyber Crime Cell site itself was hacked Site was hosted by a third-party web hosting company The logs of the server showed a number of failed login attempts to the File Transfer Protocol (FTP) Service Then a successful login attempt Then a file transfer of the main index.htm file
Confidential www.niiconsulting.com

Case study 2
The IP address was similarly traced to the Internet Service Provider From the ISP to a cyber caf Seemed like a dead-end The cyber caf owner and engineer were arrested mistakenly There was no record of who had come to the cyber caf on that day Hacker calls up Sub-Inspectors and taunts him Reveals his name as Dr. Neukar
Confidential www.niiconsulting.com

Case study 2
Internet search reveals the home page of Dr. Neukar with his picture on it!! Police take that, and he is immediately recognized as someone in the vicinity Taken into custody confesses immediately Case pending in court

Confidential

www.niiconsulting.com

Case Study 3 Phishing

The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the users information.
Confidential www.niiconsulting.com

Case Study 3 - Phishing

It is easy to make the bogus site look like the original site by copying and replicating the HTML code of the page These scams have affected:
Citibank E-bay Yahoo!

Confidential

www.niiconsulting.com

Citibank Phishing attack

Users sent email, informing that their credit card will expire due to various reasons, and they need to reauthenticate, by clicking on: http://www.citibank.com:ac=piUq3027qc Hw003nfuJ2@sd96V.pIsEm.NeT sd96V.pIsEm.NeT The user would actually see something like this:

Confidential

www.niiconsulting.com

Confidential

www.niiconsulting.com

Citibank Phishing
The site in the background is actually www.citibank.com The window in the front belongs to a Russian hacker group. When some user actually enters those details, they get transmitted to the hackers Message is shown, saying Information entered correctly, credit card will NOT be expired But it will surely be heavily misused!

Confidential

www.niiconsulting.com

Cyber Crime Investigation

People Networks

Processes

Procedures

w w w . n i i co n s u l t I n g . c o m

Attack Trends Overview

Automation: increasing speed of attacks Increasingly sophisticated attack tools Faster discovery of vulnerabilities Increasing permeability of firewalls Increasingly asymmetric threat Increasing threat from infrastructure attacks
--CERT/CC

Confidential

www.niiconsulting.com

What is computer forensics?

Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Arose as a result of the growing problem of computer crimes. Forensics experts follow clear, well-defined mythologies and procedures

Confidential

www.niiconsulting.com

Computer forensics when?

A year or more after an individual left the company After the hard drive has been formatted To recover critical emails off of a hard drive

Confidential

www.niiconsulting.com

Data Hiding
There are several techniques that intruders may hide data.
Obfuscating data through encryption and compression. Hiding through codes, steganoraphy, name embedding, obscurity and nonames on files Blinding investigators through changing behavior of system commands and modifying operating systems.

Use commonly known tools to overcome

Confidential

www.niiconsulting.com

Steganography
The practice of hiding a message within a larger one in such a way that others cannot discern the presence or contents of the hidden message. Can be used for legitimate purpose like copyright protection However used mostly for illegitimate reasons - To steal data by concealing it in another file and send it out as email attachment

Confidential

www.niiconsulting.com

Steganography
Tools are freely available for steganography F5 hides messages in JPEG files SecureEngine hides text files in larger text files MP3Stego hides files in MP3 files How to prevent or detect steganography? There is no spicific answer. A preventive step- A corporate security policy restricting installation of unauthorized programs

Confidential

www.niiconsulting.com

Alternate Data Streams - ADS

Based on the concept of file-fork Contains link to resources Can be used to hide data, as ads files are hidden Example Can hide text files, movies, sound files, executables, etc Detection using tools like ScanADS, etc

Confidential

www.niiconsulting.com

What can Disk Forensics do?

Recovers:
Deleted files Passwords Cryptographic keys

Analyzes file access, modification and creation times. Views/analyzes:

System logs Application logs

May determine users or applications system activity. Analyze e-mails for source information and content.
Confidential www.niiconsulting.com

Basic Methodology
Without altering or damaging original source, acquire evidence Authenticate that recovered evidence is the same as the original. Establish audit trail of all processes applied to computer based evidence.
Must be third party repeatable

Analyze the data without modifying it.

Confidential

www.niiconsulting.com

Methodology
Failure to utilize appropriate methodologies may prevent successful prosecution
May cost your organization $4.3 Million!

Failure to maintain evidence integrity may invalidate the evidence.

You may know who committed the crime, but without your evidence, you may not be able to prove it in court. For further information, consult the ACPO Good Practices Guide.

Confidential

www.niiconsulting.com

Computer Forensics Development

Disk Forensics
Well developed

System Forensics
O/S Dependent

Network Forensics
Includes ID systems

Internet Forensics
Includes ISP logs etc.

Confidential

www.niiconsulting.com

Disk Forensics
Requires (bit-stream) Image copies
Include slack, unallocated space, and deleted file fragments.

Investigating officers must be able to demonstrate compliance with evidence rules Integrity can be demonstrated with a message digest.

Confidential

www.niiconsulting.com

Network Forensics
Evidence collected from normal operation
Logs Intrusion Detection Systems

Evidence collected in specific surveillance

Extended logs Sniffers

IP headers contain source and destination IP addresses DataLink headers contain source and destination MAC addresses

Confidential

www.niiconsulting.com

Sniffer output - Ethreal

Confidential

www.niiconsulting.com

Computer Addresses
Logical or IP addresses
Public IP addresses are assigned by ARIN

Physical or MAC addresses

MAC addresses are burned in and have been used to identify a particular computer
Melissa and the Love Bug Viruses were identified this way

Confidential

www.niiconsulting.com

Investigating email header

Confidential

www.niiconsulting.com

Digital Evidence life cycle

Evidence Life Cycle Discovery and recognition Protection Recording Collection Identification Preservation Transportation Presentation in court Return to owner Confidential

www.niiconsulting.com

Digital evidence
Digital evidence must be authentic and must be able to be proven that it has not been modified

Confidential

www.niiconsulting.com

Rules of Evidence
Distinguish between hearsay and direct evidence Require proof of authenticity and integrity
Chain of custody requires that:
No information has been added or changed A complete copy was made A reliable copying process was used All media was secured.

A Message Digest can demonstration Integrity A digital signature can demonstrate Authentication and Non Repudiation

Confidential

www.niiconsulting.com

Common Problems
No established incident response team.
Evidence compromised while it was gathered

No established incident response policies

Evidence may be compromised prior to gathering

Inappropriate methodology
Peer review

Broken chain of custody

Appropriate evidence was gathered but can not be presented in court

Confidential

www.niiconsulting.com

Commercial Forensics Tools

Tools and Vendors include:
EnCase Guidance Software Pasadena, CA SafeBack New Technologies, Inc. (NTI), Gresham, Oregon

Confidential

www.niiconsulting.com

Other Forensic Tools

Linux DD
Used by FBI, among other tools, in Zacarias Moussaouis Case By Dan Farmer and Wietse Venema Used for investigating Unix systems Inexpensive hex, disk, and RAM editor. Data analysis features include identification of certain file types (such as images) in unknown data, like that of recovered files. Includes drive imaging and deleted data recovery capabilities.

Coroners Tool Kit (CTK)

Winhex State-of-the-Art Software

MD5Sum, 128 bit Message Digest generator

Confidential www.niiconsulting.com

Internet Data Incident Response Guidelines

Restore service safely Estimate extent and cost of incident Identify source of attack and their motivation Deter future crime Recover loss Protect public image Conduct due diligence Assume corporate responsibility Increase understanding of security landscape.

Confidential

www.niiconsulting.com

Roles and Responsibilities

To facilitate teamwork the organizations roles must be assigned as fallows:

Confidential

Corporate security and incident team Security investigator Emergency response core team Application owner Application developer System owner/administrator Network administrator Firewall administrator Security consultants
www.niiconsulting.com

What needs to be a forensics expert ?

Operating systems (Windows, Linux, Unix, Sun, etc) Database Servers (Oracle, MS SQL server, Sybase, etc) Web Servers (Apache, IIS, etc) Firewalls, IDS, Routers, etc Forensics Tools Jack of all trades

Confidential

www.niiconsulting.com

What needs to be a forensics expert ?

Patience to sit in front of the computer and analyze data that could take a considerable amount of time Nothing like click..next..next.. & finish forensics.

Confidential

www.niiconsulting.com

Conclusion
With the new attack vectors being introduced every days .

Confidential

www.niiconsulting.com

Internal Attackers
People Networks

Processes

Procedures

w w w . n i i co n s u l t I n g . c o m

The Rogue Internal User

Internal users are most dangerous They have much higher knowledge levels about the system than an outsider They are more trusted than an outsider is They sometimes have much more motivation to cause damage than an outsider does
Confidential www.niiconsulting.com

Types of rogue users

The Malicious user
About to quit his job, or be fired, isnt too happy with the company, and wants to leave his mark

The Curious user

Has some free time, wants to explore around and see what he can do, where he can go

The Ignorant user

Has less ideas about how the systems work, might accidentally delete a critical file, or enter wrong data

Confidential

www.niiconsulting.com

Tracking the rogue internal user

Places to look at:
Browser history, such as that of Internet Explorer Demo Cookies folder shows which sites he has visited - Demo Recent folder for recently used files in Documents and Settings folder Demo Recent file lists of Office applications, such as Microsoft Word, Excel, etc. Demo Nethood folder shows recent network shares accessed by the user Demo

Confidential

www.niiconsulting.com

Tools to track the rogue user

Keylogger
Tracks all the keystrokes typed by the user Emails them to a pre-determined email address Captures everything, including passwords Can be detected by an anti-virus software

Network servers
See the Internet web sites visited from that users IP address See the files downloaded or accessed from central servers by that user Watch out for multiple failed login attempts from that users PC

Confidential

www.niiconsulting.com

Surveillance Software
Most effective tools to monitor a suspicious user These software run transparently in the background, and capture:
Users keystrokes Screen snapshots Emails sent Attachments sent via email Instant messenger conversations

Send this information to a remote server

Confidential www.niiconsulting.com

Confidential

www.niiconsulting.com

Confidential

www.niiconsulting.com

Fooling the internal user

Social Engineering
One of the most prevalent attack techniques The attacker will use flattery, persuasion, show of authority, or build a rapport to extract critical information from the user Could also be used to fool users into revealing or changing their passwords attacker impersonates system administrator Could be done via a faked email asking all users to set their passwords to password. At least 5% users will fall victim to such pranks (see phishing)

Confidential

www.niiconsulting.com