Computer Intrusion Investigation Guidelines.The process of catching the hacker may be simple, but obtaining and analyzing the evidence can be very complex. First, the investigator needs to understand the basics of a "hack" or an "intrusion." The hacker, or intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. , essentially breaks into a number of computers or computer systems to obtain either root or user level access to a computer. A hacker does this for three reasons. * Storage: the hacker finds a victim computer to store tools and programs that can be used to exploit other computers; * Protection: the hacker typically establishes a number of "jumps," or stepping stones
The Stepping Stones are three prominent rocks lying 0.5 miles north of Limitrophe Island, off the southwest coast of Anvers Island. in route to a particular computer or computer system. This process hides the location of the hacker, including protecting the original Internet provider Internet provider - Internet Service Provider (IP) of the hack; and * Exploitation: the hacker wants to exploit a computer or computer system to obtain information or vandalize the computer. The investigator can track the hacker by implementing three investigative techniques: * Operations: the investigator goes undercover; * Sources: the investigator develops sources that provide information about hackers and their activities; and * Investigation: the investigator uses various methods to legally obtain computer records (normally security and audit logs). These records are then examined in an effort to surface evidence. These records give the investigator the opportunity to track, or trace, back the hacker. This should not to be confused with "hacking back," which is illegal. INVESTIGATION BASICS As with any investigation, investigators have many leads to follow. In the computer intrusion An incident of unauthorized access to data or an automated information system. investigation, the initial steps are the same. This is because most computer intrusions are remarkably similar in nature. When hackers break into a government computer system, the Department of Defense (DOD (1) (Dial On Demand) A feature that allows a device to automatically dial a telephone number. For example, an ISDN router with dial on demand will automatically dial up the ISP when it senses IP traffic destined for the Internet. ) typically learns of it through intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. , from other law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). , or by obvious Web page defacement de·face tr.v. de·faced, de·fac·ing, de·fac·es 1. To mar or spoil the appearance or surface of; disfigure. 2. To impair the usefulness, value, or influence of. 3. . Computer intrusion cases are directed to the DOD's Defense Criminal Investigative Service's Computer Crimes Investigation Program. Hackers make a number of jumps from their computer through various other computers or computer system. For technical reasons, the number of these jumps is limited, but each of these jumps is probably a victim. To track down these hackers, federal agents must obtain and review various logs from each of the jumps or victims. If these logs are obtained in a timely fashion, the investigation will lead quickly to either the hacker or a dead end. Generally, the dead end often results when hackers jump through or from foreign countries. Sometimes, the dead end occurs because the investigator could not obtain the computer logs. It should be noted that, due to the nature of the hacker culture, hackers commonly share their exploits with other hackers. This means that it is very common to find out that more than one hacker has broken into a particular computer or computer system. Although the intrusion may have just occurred, it is typically at least a few hours or a few days old. Most investigations begin when the investigator receives a call or complaint from a DOD Computer Emergency Response Team (CERT); a systems administrator or computer security personnel; or a witness or confidential or registered source. The initial phases of a computer intrusion investigation can be broken down into 12 steps. THE TWELVE STEPS Step One Obtain the identifying data on the caller. Step Two Obtain the identifying data on the victim computer. What is the victim IP? What agency does it belong to? Who is the system point of contact (POC (Proof Of Concept) See PoC exploit. POC - Point Of Contact )? Is the victim computer "mission critical?" Step Three Obtain the known particulars of the intrusion. This is sometimes called the "ticket" information. What is the source IP? When did the incident occur? What method of intrusion was used? Was it a root or user level intrusion? Step Four Determine if the victim computer has been secured (i.e., has it been taken off line and stored to protect the evidence). Has the system administrator removed all hacker programs, sniffers, and tools? Have the appropriate security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. been installed? Step Five Meet with the system administrator and determine if the victim computer should be taken off-line and taken into evidence or if the victim computer can be left on-line and used to monitor the hacker's future activity. Step Six Arrange to have the computer seized as evidence, or have a mirror image made of the victim computer's hard drive. Step Seven Determine the appropriate method of obtaining computer records from the source (e.g., the source computer/computer system/network). Depending on the type of computer or computer system, investigators can use five methods to obtain computer records. The method the investigator uses is determined by the Stored Wire & Electronic Communications Act The establishment of the Federal Communications Commission (FCC) in 1934, the regulatory body for interstate and foreign telecommunications. Its mission is to provide high-quality services at reasonable cost to everyone in the U.S. on a nondiscriminatory basis. . The five methods are-- * official request; * inspector general subpoena subpoena (səpē`nə) [Lat.,=under penalty], in law, an order to a witness to appear before a court. A subpoena ad testificandum [Lat. ; * grand jury subpoena; * court order; or * search warrant Step Eight Contact the source and obtain its computer logs. Step Nine Make arrangements to have the victim system examined. The forensic analysis of a computer system is called a "system autopsy." The System Autopsy There are essentially two types of system autopsies: 1) an abbreviated autopsy, which identifies the basics of the intrusion and begins to establish probable cause Apparent facts discovered through logical inquiry that would lead a reasonably intelligent and prudent person to believe that an accused person has committed a crime, thereby warranting his or her prosecution, or that a Cause of Action has accrued, justifying a civil lawsuit. for court orders and search warrants and 2) a comprehensive autopsy, or forensic analysis, which is acceptable for criminal trial. The abbreviated autopsy should be accomplished within a few days of the intrusion. The comprehensive autopsy can take weeks or even months. Available Resources An expert in the field of system analysis should perform the system autopsy. Various resources available for assistance include: * the DOD's Computer Forensics The investigation of a computer system believed to be involved in cybercrime. Forensic software provides a variety of tools for investigating a suspect PC. Such programs may include a function that copies the entire hard drive to another system for inspection, allowing the original to Laboratory; * the DOD CERT; and * Other federal law enforcement agencies (including the FBI, the MCIO's and the NASA NASA: see National Aeronautics and Space Administration. NASA in full National Aeronautics and Space Administration Independent U.S. OIG Noun 1. OIG - the investigative arm of the Federal Trade Commission Office of Inspector General independent agency - an agency of the United States government that is created by an act of Congress and is independent of the executive departments ). In addition, investigators can use a number of automated tools to perform the system autopsy. The Analysis Process The system autopsy is the process of finding out what the hacker did to a given computer and what the hacker left behind. This can usually be accomplished using these 10 investigative techniques: 1) Examine the computer's log files and backups working with a mirror image of the victim system. Keep in mind that these logs may have been altered by the hacker(s). Reviewing system backups and comparing these to the victim machine's logs may help identify any alterations. Examine "Wtmp" files, history logs, message logs, the "syslog" fire wall logs, router logs, and proxy server Also called a "proxy," it is a computer system or router that breaks the connection between sender and receiver. Functioning as a relay between client and server, proxy servers are used to help prevent an attacker from invading the private network. logs. 2) Examine all files run by "cron A Unix utility (Unix daemon) that executes commands in a crontab file at a specified time and date. Cron is used to schedule such functions as backup and maintenance procedures. (operating system) cron " and "at." System administrators usually automate the logging processes. Cron is the utility used to do this automation. Hackers sometimes use cron to automate their processes as well. 3) Examine the "/etc/ password" file for alterations. The "/etc/ password" file contains the encrypted passwords of all users. Look for alterations, blank entries, and empty password fields. 4) Check the system for unauthorized services, such as backdoor See trapdoor. versions of "finger," "rsh," "rlogin," "ftp," or other services. 5) Check the system for sniffer programs. 6) Check the system for trojanized programs. 7) Look for "setuid" and "setgid" files, which may provide the hacker with root access to the system. 8) Look for "+" entries which signify that all incoming connections are from trusted computers. Look for nonlocal host names. 9) Look for unusual and hidden files. 10) Review all processes currently running on the system. Step Ten Review computer system and attempt to determine the next jump back. Tracking Back In principle, tracking the hacker is simple. Once an intrusion is reported, the investigator has a "victim." This is the first victim, or the final site or last jump taken by the hacker. A review of computer security and audit logs usually surface the first jump back--typically the second victim. After evaluating the known facts about this second victim, the investigator can determine the method best required to obtain the victim's security and audit logs. The review of the second victim's security and audit logs can surface information that identifies the next jump back--usually the third victim. Possible Conclusions The investigator continues this process of tracing back the hacker's jumps. This investigative process leads to one of three conclusions: * The hacker is located. At this point, traditional law enforcement techniques such as arrest warrants, search warrants, trap and trace, or other techniques come into play. * The trace back leads to a foreign country. Depending on the particulars, this case may now fall into the area of foreign counterintelligence coun·ter·in·tel·li·gence n. The branch of an intelligence service charged with keeping sensitive information from an enemy, deceiving that enemy, preventing subversion and sabotage, and collecting political and military information. . It may lead to a joint investigation with foreign law enforcement organizations. Or, it may result in an investigative dead end. * The trace back leads to a dead end within the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . This typically happens when one of the victim sites cannot provide useful records, when records could not be obtained in a timely manner, or when the hacker was able to "spoof See spoofing. spoof - spoofing ," or fake, the IP address. Step Eleven Make arrangements to have the source logs examined. Step Twelve Conduct appropriate interviews. CONCLUSION As computer intrusion crimes increase and hackers become more efficient, the investigator's role and task will become more difficult. However, these guidelines should help answer some basic questions encountered at the onset of any computer intrusion investigation. Special Agent Davis serves with the Defense Criminal Investigative Service The Defense Criminal Investigative Service (DCIS) is the criminal investigative arm of the Inspector General of the United States Department of Defense (DoD). Its stated mission is to protect America's warfighters by conducting investigations in support of crucial National , Department of Defense, in Arlington, Virginia. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion