Security Breach Notification Program September 14, 2007

Rich Nolan
2006 Carnegie Mellon University

Role of a First Responder

Essentially the first person notified and reacting to the security incident Responsibilities:
Determine the severity of the incident Collect as much information about the incident as possible Document all findings Share this collected information to determine the root cause

2006 Carnegie Mellon University

First Responder Toolkit

Understand program dependencies Select tools Test and verify tools Understand the benefits to using this methodology

2006 Carnegie Mellon University

Methodology for Creating a First Responder Toolkit

Create the forensic tool testbed Document the testbed Document and set up forensic tools Test the tools

2006 Carnegie Mellon University

NIST Methodology
NIST: National Institute of Standards and Technology, Information Technology Laboratory, Computer Forensic Tool Testing Program The Computer Forensics Tools Verification project provides a measure of assurance that the tools used in the investigations of computer-related crimes produce valid results. It also supports other projects in the National Institute of Justices overall computer forensics research program, such as the National Software Reference Library (NSRL).

http://www.cftt.nist.gov/

2006 Carnegie Mellon University

What is Volatile Data?

Definition:
Any data stored in system memory that will be lost when the machine loses power or is shut down

Location:
Registers, cache, and RAM (this module focuses on RAM)

2006 Carnegie Mellon University

Order of Volatility
Registers and cache Routing table, arp cache, process table, kernel statistics, connections Temporary file systems Hard disk or other nonvolatile storage devices Remote or off-site logging and monitoring data Physical configuration and network topology Archival media such as backup tapes, disk, and so on
2006 Carnegie Mellon University

Why is Volatile Data Important?

Gain initial insight
Current state of the system What activities are currently/were being executed Validity of the alert that flagged the suspicious computer Root of the problem

Determine a logical timeline of the incident

Identify the time, date, and user responsible for the security incident

Determine next step

Decide whether a full collection of the persistent data on the suspicious computer is necessary

One chance to collect

After the system is rebooted or shut down, its too late!

2006 Carnegie Mellon University

Common First Responder Mistakes

Shutting down or rebooting the suspicious computer
Assuming that some parts of the suspicious machine may be reliable and usable

ss to acce ation ing t t hav ocumen No e d lin t the er base abou comput ous spici su

2006 Carnegie Mellon University

Types of Volatile Information

Volatile System Information: A collection of information about the current configuration and running state of the suspicious computer

Volatile Network Information: A collection of information about the network state of the suspicious computer

2006 Carnegie Mellon University

Volatile System Information

System profile Current system date and time Command history Current system uptime Running processes Open files, start up files, clipboard data Logged on users DLLs or shared libraries

2006 Carnegie Mellon University

Volatile Data Collection Methodology

2006 Carnegie Mellon University

Step 1: Incident Response Preparation

Forensic Tool Test Bed First responder toolkit Creation of Collection policies

2006 Carnegie Mellon University

Step 2: Incident Documentation

Incident profile Forensic collection logbook First responder toolkit documentation

2006 Carnegie Mellon University

Step 3: Policy Verification

Determine your authority to collect Determine your manner to collect

2006 Carnegie Mellon University

Step 4: Volatile Data Collection Strategy

Types of volatile information to collect Tools and techniques that facilitate this collection Location for saved forensic tool output Administrative vs. user access Type of media access
(floppy, CD-ROM, USB)

Machine connected to the network

2006 Carnegie Mellon University

Step 5: Volatile Data Collection Setup

Establish a trusted command shell Establish the transmission and storage method Ensure the integrity of forensic tool output

2006 Carnegie Mellon University

Step 6: Volatile Data Collection Process

Collect uptime, date, time, and command history for the security incident. As you execute each forensic tool or command, generate the date and time to establish an audit trail. Begin a command history that will document all forensic collection activities. Collect all types of volatile system and network information. End the forensic collection with date, time, and command history.

2006 Carnegie Mellon University

Summary
Collected volatile data can lead the first responder to the root cause of the security incident. Volatile data can be easily changed and lost. Document all findings and actions performed during the volatile data collection process. Use a first responder toolkit to collect volatile data.

2006 Carnegie Mellon University