Answer the following questions:
1. Name and briefly describe the four process phases for performing digital
forensics.
· Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.
· Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data.
· Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
· Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.
2. Name the three organizational groups that are the primary forensic tool users.
· Investigators. Investigators within an organization are most often from the Office of Inspector General (OIG), and they are responsible for investigating allegations of misconduct. For some organizations, the OIG immediately takes over the investigation of any event that is suspected to involve criminal activity. The OIG typically uses many forensic techniques and tools. Other investigators within an organization might include legal advisors and members of the human resources department. Law enforcement officials and others outside the organization that might perform criminal investigations are not considered part of an organization’s internal group of investigators.
· IT Professionals. This group includes technical support staff and system, network, and security administrators. They use a small number of forensic techniques and tools specific to their area of expertise during their routine work (e.g., monitoring, troubleshooting, data recovery).
· Incident Handlers. This group responds to a variety of computer security incidents, such as unauthorized data access, inappropriate system usage, malicious code infections, and denial of service attacks. Incident handlers typically use a wide variety of forensic techniques and tools during their investigations.
3. What is incident (handling) response?
· It is the capability to respond to incidents systematically so that appropriate steps are taken. It helps personnel recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services. It is using information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data. It is a method of dealing properly with legal issues that may arise during incidents.
4. What is an incident response team?
· Incident response teams can be made up of forensic analysts, system, network, and security administrators, and computer security program managers who are responsible for performing forensics for investigative, incident response, or troubleshooting purposes.
5. When reporting an incident, what information should be provided?
· Report the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process.
6. Name and describe four categories of tools that should be available to respond to
an incident.
· Running Processes. All UNIX-based systems offer the ps command for displaying currently running processes. Although Windows offers a graphical user interface (GUI).based process list utility, the Task Manager, it is usually preferable to have a text-based listing. Third-party utilities can be used to generate a text list of running processes for Windows systems.
· Open Files. All UNIX-based systems offer the lsof command for displaying a list of open files. Third-party utilities can be used to generate text lists of open files for Windows systems.
· Login Sessions. Some OSs have built-in commands for listing the currently logged on users, such as the w command for UNIX systems, which also lists the source address of each user and when the user logged onto the system. Third-party utilities are available that can list currently connected users on Windows systems.
· Operating System Time. There are several utilities available for retrieving the current system time, time zone information, and daylight savings time settings. On UNIX systems, the date command can be used to retrieve this information. On Windows systems, the date, time, and nlsinfo commands can be used collectively to retrieve this information.
7. What is a Denial of Service (DoS) attack?
· An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources.
8. Name and describe five DoS attack containment strategies.
· If an attack is ongoing, such as an extended denial of service attack, organizations might want to identify the IP address used by the attacker so that the attack can be stopped.
· Spoofed IP Addresses. Many attacks use spoofed IP addresses. Spoofing is far more difficult to perform successfully for attacks that require connections to be established, so it is most commonly used in cases where connections are not needed.
· Many Source IP Addresses. Some attacks appear to use hundreds or thousands of different source IP addresses. Sometimes attackers will use one real IP address and many fake ones; in that case, it might be possible to identify the real IP address by looking for other network activity occurring before or after the attack that uses any of the same IP addresses
· Validity of the IP Address. Because IP addresses are often assigned dynamically, the system currently at a particular IP address might not be the same system that was there when the attack occurred. In addition, many IP addresses do not belong to end-user systems, but instead to network infrastructure components that substitute their IP address for the actual source address, such as a firewall performing NAT. Some attackers use anonymizers, which are intermediate servers that perform activity on a user’s behalf to preserve the user’s privacy.
· Contact the IP Address Owner. The Regional Internet Registries, such as the American Registry for Internet Numbers (ARIN), provide WHOIS query mechanisms on their Web sites for identifying the organization or person that owns it and is responsible for a particular IP address.
· Look for Clues in Application Content. Application data packets related to an attack might
contain clues to the attacker’s identity. In addition to IP addresses, valuable information could
include an e-mail address or an Internet relay chat (IRC) nickname.
9. Briefly define malicious code.
· A virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host.
10. Briefly define an unauthorized access incident. Give several examples.
· When a person gains logical or physical access without permission to a network, system, application, data, or other IT resource.
· An attacker runs an exploit tool to gain access to a server’s password file.
· A perpetrator obtains unauthorized administrator-level access to a system and the sensitive data it contains, and then threatens the victim that the details of the break-in will be released to the press if the organization does not pay a designated sum of money.
11. Briefly describe a multiple component incident.
· A single incident that encompasses two or more incidents; for example, a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts.