Vous êtes sur la page 1sur 31

System Intrusion and Computer Forensic Module Code: CSM203

2009 by Informatics Education Ltd A Member of Informatics Group Informatics Campus 12 Science Centre Road Singapore 609080

CSM 203 System Intrusion and Computer Forensic

Learning Guide (Draft)

First Printing October 2009

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the publisher. Every precaution has been taken by the publisher and author(s) in the preparation of this book. The publisher offers no warranties or representations, and does not accept any liabilities with respect to the use of any information or examples contained herein. All brand names and company names mentioned in this book are protected by their respective trademarks and are hereby acknowledged. The developer is wholly responsible for the contents, errors and omission.

Published by Informatics Education Ltd

ii | P a g e

Table of Contents
YOUR LECTURER ............................................................................................................... 5 UNIT SPECIFICATIONS....................................................................................................... 5 LESSON PLAN ................................................................................................................... 6 ASSESSMENT METHODS ................................................................................................. 12
ASSIGNMENT (COURSEWORK)......................................................................................................................... 12 TESTS................................................................................................................................................................ 13 EXAMINATIONS................................................................................................................................................ 13

MODULE OBJECTIVES ..................................................................................................... 15 UNIT 1: INFORMATION SECURITY FUNDAMENTALS ....................................................... 16


INTRODUCTION..................................................................................................................................................... 16 TOPICS TO BE COVERED.......................................................................................................................................... 16 DISCUSSION QUESTIONS ........................................................................................................................................ 16

UNIT 2: ADDRESSING THREATS...................................................................................... 17


INTRODUCTION..................................................................................................................................................... 17 TOPICS TO BE COVERED.......................................................................................................................................... 17 DISCUSSION QUESTIONS ........................................................................................................................................ 17

UNIT 3: BACKDOORS, VIRUS AND WORMS .................................................................... 18


INTRODUCTION..................................................................................................................................................... 18 TOPICS TO BE COVERED.......................................................................................................................................... 18 DISCUSSION QUESTIONS ........................................................................................................................................ 18

UNIT 4: THE HACKING CYCLE ......................................................................................... 20


INTRODUCTION..................................................................................................................................................... 20 TOPICS TO BE COVERED.......................................................................................................................................... 20 DISCUSSION QUESTIONS ........................................................................................................................................ 20

UNIT 5: COMPUTER FORENSIC FUNDAMENTALS............................................................ 22


INTRODUCTION..................................................................................................................................................... 22 TOPICS TO BE COVERED.......................................................................................................................................... 22 DISCUSSION QUESTIONS ........................................................................................................................................ 22

UNIT 6: TRADEMARKS, COPYRIGHT AND PATENTS ........................................................ 23


INTRODUCTION..................................................................................................................................................... 23 TOPICS TO BE COVERED.......................................................................................................................................... 23 DISCUSSION QUESTIONS ........................................................................................................................................ 23

UNIT 7: NETWORK FORENSIC FUNDAMENTALS ............................................................. 24


INTRODUCTION..................................................................................................................................................... 24 TOPICS TO BE COVERED.......................................................................................................................................... 24 DISCUSSION QUESTIONS ........................................................................................................................................ 25

iii | P a g e

UNIT 8: INCIDENTS RESPONSE AND FORENSICS ............................................................. 26


INTRODUCTION..................................................................................................................................................... 26 TOPICS TO BE COVERED.......................................................................................................................................... 26 DISCUSSION QUESTIONS ........................................................................................................................................ 26

UNIT 9: DIGITAL EVIDENCE............................................................................................ 27


INTRODUCTION..................................................................................................................................................... 27 TOPICS TO BE COVERED.......................................................................................................................................... 27 DISCUSSION QUESTIONS ........................................................................................................................................ 27

UNIT 10: STEGANOGRAPHY........................................................................................... 28


INTRODUCTION..................................................................................................................................................... 28 TOPICS TO BE COVERED.......................................................................................................................................... 28 DISCUSSION QUESTIONS ........................................................................................................................................ 28

UNIT 11: ANALYSING LOGS............................................................................................ 30


INTRODUCTION..................................................................................................................................................... 30 TOPICS TO BE COVERED.......................................................................................................................................... 30 DISCUSSION QUESTIONS ........................................................................................................................................ 30

UNIT 12: EMAIL CRIME AND COMPUTER FORENSICS ..................................................... 31


INTRODUCTION..................................................................................................................................................... 31 TOPICS TO BE COVERED.......................................................................................................................................... 31 DISCUSSION QUESTIONS ........................................................................................................................................ 31

Your Lecturer
Instructor Name and Contact Information: Name : Email Address : Home Phone Number : Office Telephone Number :

Unit Specifications
Unit Name Unit Type Unit Description

CSM203: System Intrusion and Computer Forensic


Year 2 Core Pre-Requisite None This module introduces to students the foundation of system intrusion and computer forensic investigation, looking into the processes and tools used by hackers and computer forensic and investigation professionals. At the completion of this module a student should be able to: Understand the essentials of system intrusion and computer forensic investigation Comprehend the processes and tools used by professionals as well as penetration tester.

Learning Outcomes

Teaching Methods Main Text

Additional Reading

Weekly lessons of 3 hours, over 12 weeks, inclusive of lectures, discussions and case reviews. 1. Guide To Computer Forensics And Investigations, Amelia Phillips, Frank Enfinger, Chris Steuart, ISBN: 0619217065 2. Hacking Exposed, Mcclure, Stuart; Scambray, Joel; Kurtz, George, OSBORNE/MCGRAW, February 2009, ISBN: 0071613749/9780071613743 1. Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos; Thorsten Holz, Publisher: Addison Wesley Professional Pub Date: July 16, 2007, Print ISBN-10: 0-32133632-1, Print ISBN-13: 978-0-321-33632-3 2. www.foundstone.com www.sysinternals.com www.ntsecurity.nu www.sarc.com www.ipos.gov.sg www.wipo.int

Useful Links

5|Page

Assessment

1. 100% coursework based 2. Exam Rubric may change from time to time and module to module. Double check with school.

6|Page

Lesson Plan
S/N 1. TOPICS Information Security Fundamentals DESCRIPTION Information Security Overview Why Security? The Information Security Principles Ethical Hacking Trends in Security Essential Terminology Statistics Related to Security Information Security Laws & Regulations 2. Addressing Threats 3. Backdoors, Virus and Worms What is a Threat? Vulnerability Exposures Attacks Malicious Code Attack Description What is a Trojan? Working of Trojans Overt and Covert channels Difference Between Virus and Worm Virus History When is a virus not a virus? Life Cycle of Virus Access Methods of a Virus Indications of a Virus attack. Underground Writers Malware Protection Anti-Virus Software Popular Anti-Virus Packages Reference to C2071 Reference to C2071 CHAPTER IN TEXT Reference to C2071 ACTIVITY

7|Page

4.

The Hacking Cycle

What does a Malicious Hacker do? The Ethical Hackers Process Pre-Attack Phrases

Reference to C2071

5.

Computer Forensics Fundamentals

Definition of Computer Forensics History of Forensics Need for Computer Forensics Cyber Crime Examples of Cyber Crime Cyber Crime Investigation Process Challenges in Cyber Crime Investigations Cyber Law Approaches to the Formulation of Cyber Laws Some Areas Addressed by Cyber Law Important Federal Statues

Reference to C2070

6.

Trademarks, Copyright and Patents

Trademarks Trademark Eligibility and Benefits of Registering it Trademark Infringement Copyright Notice Investigating Copyright and Copyright

Reference to C2070

Status of a Particule Work

8|Page

How long does a copyright last? Doctrine of Fair Use Patents Plagiarism Turnitin Plagiarism Detection Tools

7.

Network Forensic Fundamentals

Challenges in Network Forensics Internet Threats External Threats Automated Computer Attack Sources of Evidence on a Network What is a router? Functions of a router A router in an OSI Type of router attack Packet Mistreating Attacks Routing Table Poisoning Router Forensics vs Computer Forensics Incident Reponse Investigating Routers Accessing the Router Router Investigation Procedures

Reference to C2070

9|Page

8.

Incidents Response and Forensics

What is an incident? How to identify an Incident? Procedure for Handling Incidents CSIRT Overview First Responder Procedure

Reference to C2070

Digital Evidence

Introduction to Digital Evidence Digital Evidence Investigation Process Securing Digital Evidence Documenting Evidence Processing and Handling Digital Evidence in a Forensics Lab Obtaining Digital Hash and Analyzing it Storing Digital Evidence Evidence Retention and Media Storage Requirements

Reference to C2070

10.

Steganography

Definition of Steganography Steganography vs. Cryptography Images Steganography Overview Strides in Steganography Steganography Steps in hiding information Applications of Steganography Digital Watermark Hiding information in Text

Reference to C2070

10 | P a g e

Files Hiding information in Network packets Steganography tools

11.

Analysing Logs

The Importance of Network Log Files Characteristics of Log Files Event Log Purposes of Log Files Log Analysis Basics Timestamps Network Management Products Protocol Analyzer

Reference to C2070

12.

Email Crime and Computer Forensics

Importance of E-Mail as Evidence Working with E-Mail Working with Webmail Working with Mail Servers Examining E-Mails for Evidence Working with Instant Messaging

Reference to C2070

Assignment Due

11 | P a g e

Assessment Methods
The assessment framework will in the form of continuous assessment and may be presented in one of the following format:
1. 2 Tests plus 1 Coursework (Test 1: 30%, Test 2: 30%, Coursework: 40%) OR 2. 3 Tests (Test 1: 30%, Test 2: 30%, Test 3: 40%) OR 3. Coursework 100%

The assessment framework will vary from module to module and subject to changes from term to term. Refer to latest module specifications for recommended exam rubric.

ASSIGNMENT (COURSEWORK)
INSTRUCTIONS: 1. The assessment criteria are: (a) Substance (b) Originality of work (c) Presentation (d) Use of illustrations / examples, where appropriate 2. Independent research on the relevant topics is encouraged. 3. Special consideration would be given to students who demonstrate an in-depth analysis of the questions. 4. Candidates who simply regurgitate their answers from the course manual may risk failing the assignment. 5. Any similarities between individual assignments will result in a fail grade. 6. The assignment should be about 2,000 words (total). 7. Pages should be clearly numbered.

12 | P a g e

8. The format of the assignment should be as follows: (a) Front cover (i.e. title page), stating the: Module name and code Students full name and I/C number Class code Name of lecturer Submission date (b) Contents page (c) Main body of the assignment (d) References Example: Kotler, P. 1997 Marketing Management Analysis Planning, Implementation, and Control 9th edn. Prentice Hall International. 9. Retain a photocopy of your course assignment. 10. Complete your assignment and hand it in by: ________12th Week____________ 11. Late Assignment Policy: Assignments must be turned in on time for full consideration of a grade. 12. Academic Honesty and Professional Conduct: At Informatics academic honesty and integrity is expected. If a student uses the ideas or words of another without crediting the source, such as literary theft, this is considered plagiarism. Documented plagiarism will result in a minimum penalty of failure in the assignment, but can result in failure in the course and/or withdrawl from the program. Students are encouraged to make use of approved referencing system like Harvard Referencing system. 13. Feedback on Assignments: Your lecturer will provide you feedback on your assignments and grades.

TESTS

Tests are conducted during the duration of the module to provide an opportunity for the student to demonstrate an understanding of the subject and materials taught. Tests are typically held at the mid-term or end of term. The test could be conducted on-line or would be paper-based. Depending on the subject matter, the length of tests could vary range from 1 hour to 3 hours. Tests could be conducted in class or in a formal exam setting.

13 | P a g e

EXAMINATIONS

Examinations are conducted at the end of each term in an exam hall setting. The duration of examinations is normally 3 hours.

Check the exam timetable with the School. The exam rubric may change from time-to-time and from module and module. Double check final rubric with your School.

14 | P a g e

Module Objectives
At the completion of this module a student should be able to: Understand the essentials of system intrusion and computer forensic investigation Comprehend the processes and tools used by professionals as well as penetration tester.

15 | P a g e

Unit 1:
Introduction

Information Security Fundamentals

This opening lesson 1 establishes the foundation for understanding the broader field of information security. This is accomplished by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of information security.

Topics to be Covered
Information Security Overview Why Security? The Information Security Principles Ethical Hacking Trends in Security Essential Terminology Statistics Related to Security Information Security Laws & Regulations

Discussion Questions
1. Search several government Web sites for IT-related job openings. What kinds of jobs can you find? What is the starting salary of each? What are the educational requirements? Create a list of your findings to share with the class.

2. Using a library with current periodicals, find a recent news article about a topic related to information security. Write a one- to two-page review of the article and how it is related to the principles of information security introduced in this lesson.

16 | P a g e

Unit 2:
Introduction

Addressing Threats

Lesson 2 examines current needs for security in organizations and technology. This lesson also examines the various threats facing organizations. The lesson continues with a detailed examination of the types of attacks that could occur from these threats, and how they could impact the organizations information and systems.

Topics to be Covered
What is a Threat? Vulnerability Exposures Attacks Malicious Code Attack Description

Discussion Questions
1. What is the difference between a threat and an attack? 2. How do exploits relate to vulnerabilities? 3. Is there an ethically acceptable reason to study and use the various attack methods described in this module?

17 | P a g e

Unit 3:
Introduction

Backdoors, Virus and Worms

This lesson 3 establishes the foundation for understanding the broader field of Malware in Backdoors, Virus and Worms. This is accomplished by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of Malware in Computer Security.

Topics to be Covered
What is a Trojan? Working of Trojans Overt and Covert channels Difference Between Virus and Worm Virus History When is a virus not a virus? Life Cycle of Virus Access Methods of a Virus Indications of a Virus attack. Underground Writers Malware Protection Anti-Virus Software Popular Anti-Virus Packages

Discussion Questions
1. Perhaps you have seen the TV commercial in which a bored office worker unthinkingly opens an e-mail message, which launches a virus on her computer. The virus immediately spreads to her coworkers' computers and chaos breaks out in the office. The commercial may be overly dramatic (or comic, depending on you point of view), but it raises an important question: should a worker be held responsible for bringing a virus into an organization's network, even by accident? If so, what penalties would be reasonable? How can organizations prevent such incidents?

18 | P a g e

2. Is it better to have your Internet Service Provider (ISP) filter your e-mail, buy e-mail virus scanner software for your PC, or just manually delete spam and e-mail that contains bad attachments?

19 | P a g e

Unit 4:
Introduction

The Hacking Cycle

This lesson 4 establishes the foundation for understanding the Ethical Hacker role in the field of information security. This is accomplished by defining the ethical hacker process to include the pre-attack phases.

Topics to be Covered
What does a Malicious Hacker do? The Ethical Hackers Process Pre-Attack Phrases

Discussion Questions
1. What is the key difference between between information gathering techniques and enumeration? 2. Find out and report on the following enumeration techniques: 1. FTP Enumeration, TCP 21 2. Enumerating SMTP, TCP 25 3. DNS Zone Transfers, TCP 53 4. Enumerating TFTP, TCP/UDP 69 5. Finger, TCP/UDP 79 6. Enumerating HTTP, TCP 80 7. Enumerating Microsoft RPC Endpoint Mapper (MSRPC), TCP 135 8. NetBios Name Service Enumeration, UDP 137 9. NetBios Session Enumeration, TCP 139 10. SNMP Enumeration, UDP 161 11. BGP Enumeration, TCP 179

20 | P a g e

12. Windows Active Directory LDAP Enumeration, TCP/UDP 389 and 3268 13. Novell NetWare Enumeration, TCP 524 and IPX 14. UNIX RPC Enumeration,TCP/UDP 111 and 32771 15. SQL Resolution Service Enumeration, UDP 1434 16. NFS Enmeration, TCP/UDP 2049

21 | P a g e

Unit 5:
Introduction

Computer Forensic Fundamentals

Todays computer forensics is clearly a new pattern confidence, acceptance, and analysis that involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information. Computer forensic is about evidence from computers that is sufficiently reliable to stand up in court and be convincing. The fascinating part of science is that computer evidence is often transparently created by the computers operating system without the knowledge of the computer operator. The information may actually be hidden from view. To find it, special forensic software tools and techniques are required.

Topics to be Covered
Definition of Computer Forensics History of Forensics Need for Computer Forensics Cyber Crime Examples of Cyber Crime Cyber Crime Investigation Process Challenges in Cyber Crime Investigations Cyber Law Approaches to the Formulation of Cyber Laws Some Areas Addressed by Cyber Law Important Federal Statues

Discussion Questions
1. Read and understand the issues reflected in the Napster Case Study. Discuss.

22 | P a g e

Unit 6:
Introduction

Trademarks, Copyright and Patents

Any sign or any combination of signs, capable of distinguishing the goods or services of one undertaking from those of other undertakings, shall be capable of constituting a trade mark. Such signs, in particular words including personal names, letters, numerals, figurative elements and combinations of colors as well as any combination of such signs, shall be eligible for registration as trade marks. Where signs are not inherently capable of distinguishing the relevant goods or services, Members may make registrability depend on distinctiveness acquired through use. Members may require, as a condition of registration, that signs be visually perceptible.

Topics to be Covered
Trademarks Trademark Eligibility and Benefits of Registering it Trademark Infringement Copyright and Copyright Notice Investigating Copyright Status of a Particule Work How long does a copyright last? Doctrine of Fair Use Patents Plagiarism Turnitin Plagiarism Detection Tools

Discussion Questions
1. Give four (4) reasons NOT to seek a patent for original software 2. List at least 4 ways to assign a copyright.

23 | P a g e

Unit 7:
Introduction

Network Forensic Fundamentals

Network forensic is the systematics tracking of incoming and outgoing traffic on your network. Network forensics poses greater challenges as evidence can be segregated across multiple system and network which may span across different country with different legal hindrance, evidence can be quickly destroyed as many system and network professional work on the affected system and network, in turn tampering with the evidence, there can be many different investigators from different country involved, making the chain of custody complicating and the crime can be perpetrated at greater speed as the system and network cannot be taken offline for forensic examination

Topics to be Covered
Challenges in Network Forensics Internet Threats External Threats Automated Computer Attack Sources of Evidence on a Network What is a router? Functions of a router A router in an OSI Type of router attack Packet Mistreating Attacks Routing Table Poisoning Router Forensics vs Computer Forensics

24 | P a g e

Incident Reponse Investigating Routers Accessing the Router Router Investigation Procedures

Discussion Questions
1. If you discover during your investigation that another companys machines are being used as part of a DDOS attack, what should you do?

25 | P a g e

Unit 8:
Introduction

Incidents Response and Forensics

Every business has its own risk environment and any risk that materializes may interrupt desirable outcome of business processes. Any such interruption is called an incident. The following factors emphasize the importance of incident management: In recent years, there has been a steady trend of both increased occurrences and escalating losses resulting from information security incidents. These incidents have had a serious impact to businesses and organization. The increase of vulnerabilities in software or systems can affect large parts of an organizations infrastructure. Failure of technical security controls to prevent incidents. Legal and regulators groups requiring the development of an incident management capability. Greater awareness by organizations of risk management strategies.

Topics to be Covered
What is an incident? How to identify an Incident? Procedure for Handling Incidents CSIRT Overview First Responder Procedure

Discussion Questions
1. Your spouse works at a private school and reports rumours of a teacher, Dr. Zero, molesting some students and taking illicit pictures of them. Dr Zero allegedly views these pictures in his offices. Your spouse wants you to take a disk image of Dr Zeros computer disk and find out if the rumours are true. Write a one- to two- pages detailing how you would tell your spouse to proceed. Also, explain why walking into Dr Zeros office to acquire a disk image would not preserve integrity of the evidence.

26 | P a g e

Unit 9:
Introduction

Digital Evidence

Digital evidence can be any information stored or transmitted in digital form. This is because you cannot see or touch digital data directly, it is difficult to explain and describe it. Is digital evidence real or virtual? Does data on a disk or other storage medium physically exist, or does it merely represent real information? U.S. courts accept digital evidence as physical evidence, which means that digital data is a tangible object, such as a weapon, paper document, or visible injury, that is related to a criminal or civil incident.

Topics to be Covered
Introduction to Digital Evidence Digital Evidence Investigation Process Securing Digital Evidence Documenting Evidence Processing and Handling Digital Evidence in a Forensics Lab Obtaining Digital Hash and Analyzing it Storing Digital Evidence Evidence Retention and Media Storage Requirements

Discussion Questions
1. Describe how you received and secured evidence about the arson case from the insurance company. Create an evidence custody form showing that your firm received the image. What additional steps should you take to preserve the evidence? 2. You are hired to go through the office computing systems of an employee suspected of embezzling funds from the firm. What steps do you need to take? Write a one-page paper outlining the procedures you need to follow to make sure the evidence holds up in court.

27 | P a g e

Unit 10:
Introduction

Steganography

Steganography is the art of secret writing. With steganography, messages can be hidden in images, sound files, or even the whitespace of a document before it's sent. This type of secret communication has been around for centuries. Books were written on this subject in the fifteenth and sixteenth centuries. Steganography derived from a Greek word that means covered writing. One of the ways it was originally used was to tattoo messages onto someone's shaved head; after the hair had grown out, that individual was sent to the message recipient. While this is certainly a way to hide information in plain sight, it is a far cry from how steganography is used today.

Topics to be Covered
Definition of Steganography Steganography vs. Cryptography Images Steganography Overview Strides in Steganography Steganography Steps in hiding information Applications of Steganography Digital Watermark Hiding information in Text Files Hiding information in Network packets Steganography tools

Discussion Questions
1. You work for a mid-size corporation known for its invention and that does a lot of copyright and patent work. You are investigating an employee suspected of selling and distributing animations that were created for your corporation. During your investigation of the suspects drive, you find some files with unfamiliar extension of .cde. The network

28 | P a g e

administrator mentions that other .cde files have been send through an FTP server to another site. List the steps for determining the contents of the .cde file.

29 | P a g e

Unit 11:
Introduction

Analysing Logs

Networks perform many important processes automatically and in the background, and it is the job of the network administrator to make sure that what is supposed to have been done has been done, without error and without problems. One of the most challenging, yet rewarding, aspects of perimeter security is network log file analysis. This process involves trying to identify intrusions and intrusion attempts through vigilant monitoring and analysis of various log files and then correlating events among those files. There are many different types of network log files to review, from network firewalls, routers, and packet filters to host-based firewalls and intrusion detection systems (IDSs).

Topics to be Covered
The Importance of Network Log Files Characteristics of Log Files Event Log Purposes of Log Files Log Analysis Basics Timestamps Network Management Products Protocol Analyzer

Discussion Questions
1. A user on your network calls, to complain that her co-workers are receiving e-mail from her that she did not send. What type of attack is this? Who do you need to inform to prevent it from spreading? How do you analyse using the different type of log files?

30 | P a g e

Unit 12:
Introduction

Email Crime and Computer Forensics

E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of peoples activities and attitudes can be found through computer forensics of e-mail. In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron manipulate its numbers and mislead investors. E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt

Topics to be Covered
Importance of E-Mail as Evidence Working with E-Mail Working with Webmail Working with Mail Servers Examining E-Mails for Evidence Working with Instant Messaging

Discussion Questions
1. A mother calls you to report that her 15-year old daughter has run away from home. The mother has access to her daughters e-mail and says that her daughter has a number of e-mail messages in her Inbox suggesting that she has run away to be with a 35-year woman. Write a brief report on how you should proceed.

31 | P a g e