INTRODUCTION TO COMPUTER FORENSICS 1

OV=39%

Introduction to Computer Forensics-Unit 1 IP

ITF 403-1004A-02 Forensics-Network Security-Data Protecion

Gregory J. Lubinsky

August 29, 2010

Andrew J. Mahaney

American InterContinental University Online

INTRODUCTION TO COMPUTER FORENSICS 2

Abstract

Cooperation of law and private corporations leads to categorizing incidents of computer crimes

and expands knowledge to include training , combating and restoring from incidents for better

response times in detecting, isolating and prosecuting the offenders. Life’s lessons in comparing

two unrelated fields of interest while both use the same methods to effect the same outcome. As

a fire can lead to better prevention methods in the same way the restoration of a computer system

can lead to better protection method from various incidents. Lastly different types of intrusions

and some counter-measures for them.

INTRODUCTION TO COMPUTER FORENSICS 3

Identifying Incidents

Categories of Incidents

Law Enforcement and Corporate Cooperation. The federal government and U.S. Cert

developed a method of identifying and categorizing computer incidents. Numbered from 0-6

(See Appendix), each category is a level of intrusion detection with the exception of category

Zero which is a testing scenario for training purposes to heighten awareness, detection and

recover from computer incidents and category six which is an ongoing investigation (US Cert).

Comparison to Engineering Events in the Navy

Computer Incidents vs Engineering Casualties

Similarities of both incidents. A person cannot compare a “high water or low water”

boiler casualty to an intrusion on a computer. However in both instances there are similarities

that constitute controlling a situation and recovery from the casualty. The main purpose of both

is to control of the situation so no further damage occurs and find the cause and and correct the

situation to return to normal operation. It is also no different in civilian life when electricity goes

out in a super market, the manager or owner has to establish rules that govern security in the

store to prevent loss of frozen foods, theft by customers and influx and out flux of people

entering and leaving the store. Everybody does it, and everyone has a different name for it! The

secret is control and action. The ability to control situations by a series of actions rehearsed or

not rehearsed to prevent loss or damage of important resources. Take for instance a business that

was struck by fire and part of the building was damage. During the restoration of the building,

the owner may install fire retardant walls and flooring, insulation and paint. This constitutes

added preventative measures that were not present to begin with. The point being that these
INTRODUCTION TO COMPUTER FORENSICS 4

measures are not exclusive to fire damage, it is practice in all forms of business and personal life.

Computers are no different, after an attack, team has to prevent further instances from occurring,

or at least deter the incident longer so control of the situation can commence possibly before loss

or damage can happen.

Combating Intrusions

Installed Systems

IDS and NIDS Systems. These systems are designed to handle intrusions IDS and NIDS

monitors the packets, and a hacker with the intension of causing denial of service to a a system

that watches for large number of TCP connection requests (SYN) to many different ports on a

target machine, show an intruder scanning the TCP port. NIDS can watch all traffic on the

network while the IDS monitors the many machines (WindowsSecurity, 2010). SIV monitors

system files so that when a hacker changes the files, the SIV (Security Integrity Verifier) can

catch him in the act, and watched other components like the Registry and Chron configuration.

LFM monitors files generated by networks services. Honeypots, fly-traps, lures and decoys are

copy well know holes to trap the hackers.

Physical Intrusions have the advantage of the hacker with physical contact with the

machine, in which case he can dismantle is piece by piece or install Trojans, and viruses locally

(WindowsSecurity, 2010). System Intrusions usually already have a low level account on the

system on a system that does not have the latest patches makes a good target for intrusion by the

hacker (WindowsSecurity, 2010).. Remote Intrusion is the hacker attemps to penetrate the

system remotely within the network with no special clearances, and will have a harder time if

firewall exist between him and the target machine (WindowsSecurity, 2010). Other forms of
INTRODUCTION TO COMPUTER FORENSICS 5

infiltration are Software bugs, such as Buffer Overflows, Unexpected Combinations, like sending

a language Perl that tells the computer what to do, in launching an addition program when the

user want one to start the computer open a completely different program. Default configurations

are dangerous although they maybe easy to use, they are also easy to hack, this is in reference to

Unix and Windows NT systems. Lazy Administrators cause most of the problems because they

do not want to configure the passwords now, while setting up, they want to get the machine

running in order to use it.

Countering attacks can be fun for some people, but some of the most common counter

attacks are Ping sweeps, TCP, UDT and Account Scans and OS Identification

By sending illegal (or strange) ICMP or TCP packets, an intruder can

identify the operating system. Standards usually state how machines should

respond to legal packets, so machines tend to be uniform in their response to valid

input. However, standards omit (usually intentionally) the response to invalid

input. Thus, each operating system's unique responses to invalid inputs forms a

signature that hackers can use to figure out what the target machine is. This type

of activity occurs at a low level (like stealth TCP scans) that systems do not log

(WindowsSecurity, 2010).
INTRODUCTION TO COMPUTER FORENSICS 6

Reference

Pfleeger, C.P. & S.L., (2007). Security in computing (4th ed.). Upper Saddle River, N.J.,

Prentice/Hall

Steel, C. (2006). Windows forensics, a field guide for conducting corporate computer

investigations. Indianapolis, Wiley Publishing Inc.

US Cert (2010). Incident Reporting Guidelines. Retrieved from http://www.us-cert.gov/federal/

reportingRequirements.html website

WindowsSecurity (2010). Network intrusion detection systems. Retrieved from http://www.

windowsecurity.com/whitepapers/FAQ_Network_Intrusion_Detection_Systems_.html#

1. website
INTRODUCTION TO COMPUTER FORENSICS 7

Appendix

Incident Table of Categories and Response times and remedies

Level Type Description Time Response

frame
This category is used during state, Not Applicable;
Exercise/Net federal, national, international this category is for
Cat 0 work Defense exercises and approved activity each agency's
Testing testing of internal/external network internal use during
defenses or responses. exercises.
an individual gains logical or Within one (1)
Un
physical access without permission to hour of
Cat 1 authorized
a federal agency network, system, discovery/detection
Access
application, data, or other resource .
Within two (2)
hours of
An attack that successfully prevents
discovery/detection
or impairs the normal authorized
if the successful
Denial of functionality of networks, systems or
Cat 2 Serves applications by exhausting resources.
attack is still
ongoing and the
This activity includes being the
agency is unable to
victim or participating in the DoS.
successfully
mitigate activity.
Successful installation of malicious
software (e.g., virus, worm, Trojan
Daily
horse, or other code-based malicious
Note: Within one
entity) that infects an operating
*Malicious (1) hour of
Cat 3 Code
system or application. Agencies are
discovery/detection
NOT required to report malicious
if widespread
logic that has been successfully
across agency.
quarantined by antivirus (AV)
software.
*Improper A person violates acceptable
Cat 4 Usage computing use policies.
Weekly
Aany activity that seeks to access or
Monthly
identify a federal agency computer,
Scans/Probes/ Note: If system is
open ports, protocols, service, or any
Cat 5 Attempted
combination for later exploit. This
classified, report
Access within one (1) hour
activity does not directly result in a
of discovery.
compromise or denial of service.
Not Applicable; this
Unconfirmed incidents that are category is for each
agency's use to
potentially malicious or anomalous
Cat 6 Investigation
activity deemed by the reporting
categorize a potential
incident that is
entity to warrant further review. currently being
investigated.
This image has been modified by Word 2007. Original image is black and white Immage from

http://www.us-cert.gov/federal/ reportingRequirements.html website