QUESTION NUMBER 122-126
122. Write a note on forensic toolkit.
Analysts should have access to various tools that enable them to perform examinations and analysis of data, as well as some collection activities. Many forensic products allow the analyst to perform a wide range of processes to analyze files and applications, as well as collecting files, reading disk images, and extracting data from files. Most analysis products also offer the ability to generate reports and to log all errors that occurred during the analysis. Although these products are invaluable in performing analysis, it is critical to understand which processes should be run to answer particular questions about the data. An analyst may need to provide a quick response or just answer a simple question about the collected data. In these cases, a complete forensic evaluation may not be necessary or even feasible. The forensic toolkit should contain applications that can accomplish data examination and analysis in many ways and can be run quickly and efficiently from floppy disks, CDs, or a forensic workstation. The following processes are among those that an analyst should be able to perform with a variety of tools:
Using File Viewers.
Using viewers instead of the original source applications to display the contents of certain types of files is an important technique for scanning or previewing data, and is more efficient because the analyst does not need native applications for viewing each type of file. Various tools are available for viewing common types of files, and there are also specialized tools solely for viewing graphics. If available file viewers do not support a particular file format, the original source application should be used; if this is not available, then it may be necessary to research the file’s format and manually extract the data from the file.
Uncompressing Files.
Compressed files may contain files with useful information, as well as other compressed files. Therefore, it is important that the analyst locate and extract compressed files. Uncompressing files should be performed early in the forensic process to ensure that the contents of compressed files are included in searches and other actions. However, analysts should keep in mind that compressed files might contain malicious content, such as compression bombs, which are files that have been repeatedly compressed, typically dozens or hundreds of times. Compression bombs can cause examination tools to fail or consume considerable resources; they might also contain malware and other malicious payloads. Although there is no definite way to detect compression bombs before uncompressing a file, there are ways to minimize their impact. For instance, the examination system should use up-to-date antivirus software and should be standalone to limit the effects to just that system. In addition, an image of the examination system should be created so that, if needed, the system can be restored.
Graphically Displaying Directory Structures.
This practice makes it easier and faster for analysts to gather general information about the contents of media, such as the type of software installed and the likely technical aptitude of the user(s) who created the data. Most products can display Windows, Linux, and UNIX directory structures, whereas other products are specific to Macintosh directory structures.
Identifying Known Files.
The benefit of finding files of interest is obvious, but it is also often beneficial to eliminate unimportant files, such as known good OS and application files, from consideration. Analysts should use validated hash sets, such as those created by NIST.s National Software Reference Library (NSRL) project or personally created hash sets that have been validated, as a basis for identifying known benign and malicious files. Hash sets typically use the SHA-1 and MD5 algorithms to establish message digest values for each known file.
Performing String Searches and Pattern Matches.
String searches aid in perusing large amounts of data to find key words or strings. Various searching tools are available that can use Boolean, fuzzy logic, synonyms and concepts, stemming, and other search methods. Examples of common searches include searching for multiple words in a single file and searching for misspelled versions of certain words. Developing concise sets of search terms for common situations can help the analyst reduce the volume of information to review. Some considerations or possible difficulties in performing string searches are as follows:
• Some proprietary file formats cannot be string searched without additional tools. In addition, compressed, encrypted, and password-protected files require additional pre-processing before a string search.
• The use of multi-character data sets that include foreign or Unicode characters can cause problems with string searches; some searching tools attempt to overcome this by providing language translation functions. .
• Another possible issue is the inherent limitations of the search tool or algorithm. For example, a match might not be found for a search string if part of the string resided in one cluster and the rest of the string resided in a nonadjacent cluster. Similarly, some search tools might report a false match if part of a search string resided in one cluster and the remainder of the string resided in another cluster that was not part of the same file that contained the first cluster. .
Accessing File Metadata.
File metadata provides details about any given file. For example, collecting the metadata on a graphic file might provide the graphic’s creation date, copyright information, and description, and the creator’s identity.Metadata for graphics generated by a digital camera might include the make and model of the digital camera used to take the image, as well as F-stop, flash, and aperture settings. For word processing files, metadata could specify the author, the organization that licensed the software, when and by whom edits were last performed, and user-defined comments. Special utilities can extract metadata from files. .
123. Write a note on Examining data files.
After a logical backup or bit stream imaging has been performed, the backup or image may have to be restored to another media before the data can be examined. This is dependent on the forensic tools that will be used to perform the analysis. Some tools can analyze data directly from an image file, whereas others require that the backup or image be restored to a medium first. Regardless of whether an image file or a restored image is used in the examination, the data should be accessed only as read-only to ensure that the data being examined is not modified and that it will provide consistent results on successive runs. write-blockers can be used during this process to prevent writes from occurring to the restored image. After restoring the backup (if needed), the analyst begins to examine the collected data and performs an assessment of the relevant files and data by locating all files, including deleted files, remnants of files in slack and free space, and hidden files. Next, the analyst may need to extract the data from some or all of the files, which may be complicated by such measures as encryption and password protection.
Locating the Files
The first step in the examination is to locate the files. A disk image can capture many gigabytes of slack space and free space, which could contain thousands of files and file fragments. Manually extracting data from unused space can be a time-consuming and difficult process, because it requires knowledge of the underlying filesystem format. Fortunately, several tools are available that can automate the process of extracting data from unused space and saving it to data files, as well as recovering deleted files and files within a recycling bin. Analysts can also display the contents of slack space with hex editors or special slack recovery tools.
Extracting the Data
The rest of the examination process involves extracting data from some or all of the files. To make sense of the contents of a file, an analyst needs to know what type of data the file contains. The intended purpose of file extensions is to denote the nature of the file’s contents; for example, a jpg extension indicates a graphic file, and an mp3 extension indicates a music file. However, users can assign any file extension to any type of file, such as naming a text file mysong.mp3 or omitting a file extension. In addition, some file extensions might be hidden or unsupported on other OSs. Therefore, analysts should not assume that file extensions are accurate. Analysts can more accurately identify the type of data stored in many files by looking at their file headers. A file header contains identifying information about a file and possibly metadata that provides information about the file’s contents. Other patterns are indicative of files that are encrypted or that were modified through steganography.
Using a Forensic Toolkit
Analysts should have access to various tools that enable them to perform examinations and analysis of data, as well as some collection activities. Many forensic products allow the analyst to perform a wide range of processes to analyze files and applications, as well as collecting files, reading disk images, and extracting data from files. Most analysis products also offer the ability to generate reports and to log all errors that occurred during the analysis. Although these products are invaluable in performing analysis, it is critical to understand which processes should be run to answer particular questions about the data. An analyst may need to provide a quick response or just answer a simple question about the collected data. In these cases, a complete forensic evaluation may not be necessary or even feasible. The forensic toolkit should contain applications that can accomplish data examination and analysis in many ways and can be run quickly and efficiently from floppy disks, CDs, or a forensic workstation.
124. Explain the two different techniques used for copying files from media.
Copying Files from Media
Files can be copied from media using two different techniques:
Logical Backup.
A logical backup copies the directories and files of a logical volume. It does not capture other data that may be present on the media, such as deleted files or residual data stored in slack space.
Bit Stream Imaging.
Also known as disk imaging, bit stream imaging generates a bit-for-bit copy of the original media, including free space and slack space. Bit stream images require more storage space and take longer to perform than logical backups.
If evidence may be needed for prosecution or disciplinary actions, the analyst should get a bit stream image of the original media, label the original media, and store it securely as evidence. All subsequent analysis should be performed using the copied media to ensure that the original media is not modified and that a copy of the original media can always be recreated if necessary. All steps that were taken to create the image copy should be documented. Doing so should allow any analyst to produce an exact duplicate of the original media using the same procedures. In addition, proper documentation can be used to demonstrate that evidence was not mishandled during the collection process. Besides the steps that were taken to record the image, the analyst should document supplementary information such as the hard drive model and serial number, media storage capacity, and information about the imaging software or hardware that was used (e.g., name, version number, licensing information). All of these actions support the maintenance of the chain of custody.
When a bit stream image is executed, either a disk-to-disk or a disk-to-file copy can be performed. A disk-to-disk copy, as its name suggests, copies the contents of the media directly to another media. A disk-to-file copy copies the contents of the media to a single logical data file. A disk-to-disk copy is useful since the copied media can be connected directly to a computer and its contents readily viewed. However, a disk-to-disk copy requires a second media similar to the original media. A disk-to-file copy allows the data file image to be moved and backed up easily. However, to view the logical contents of an image file, the analyst has to restore the image to media or open or read it from an application capable of displaying the logical contents of bit stream images.
Numerous hardware and software tools can perform bit stream imaging and logical backups. Hardware tools are generally portable, provide bit-by-bit images, connect directly to the drive or computer to be imaged, and have built-in hash functions. Hardware tools can acquire data from drives that use common types of controllers, such as Integrated Drive Electronics (IDE) and Small Computer System Interface (SCSI). Software solutions generally consist of a startup diskette, CD, or installed programs that run on a workstation to which the media to be imaged is attached. Some software solutions create logical copies of files or partitions and may ignore free or unallocated drive space, whereas others create a bit-by-bit image copy of the media.
Organizations should have policy, guidelines, and procedures that indicate the circumstances under which bit stream images and logical backups (including those from live systems) may be performed for forensic purposes and which personnel may perform them. It is typically most effective to establish policy, guidelines, and procedures based on categories of systems (i.e., low, moderate, or high impact) and the nature of the event of interest; some organizations also choose to create separate policy statements, guidelines, and procedures for particularly important systems. The policy, guidelines, or procedures should identify the individuals or groups with authority to make decisions regarding backups and images; these people should be capable of weighing the risks and making sound decisions. The policy, guidelines, or procedures should also identify which individuals or groups have the authority to perform the backup or imaging for each type of system. Access to some systems might be restricted because of the sensitivity of the operations or data in the system
125. What is NESSUS? Why is it considered as the most popular vulnerability scanner?
• Nessus is a network security scanner. It utilizes plug-ins, which are separate files, to handle the vulnerability checks.
• This makes it easy to install plug-ins and to see which plug-ins are installed to make sure that your are current. Nessus uses a server-client architecture.
• The main server will need to be built on a supported Unix-like operating system.
• The client is available for Unix, Linux, and Windows. The server is not an option because “it performs the security checks .
• The administrator of the server sets up user accounts for other team members and issues rights to those accounts.
• The clients must log in to the server to be able to run their scans.
Why Nessus is popular?
If you are familiar with other network vulnerability scanners, you might be wondering what advantages Nessus has over them. Key points include:
- Unlike other scanners, Nessus does not make assumptions about your server configuration (such as assuming that port 80 must be the only web server) that can cause other scanners to miss real vulnerabilities. :
- Nessus is very extensible, providing a scripting language for you to write tests specific to your system once you become more familiar with the tool. Its also provides a plug-in interface, and many free plug-ins are available from the Nessus plug-in site. These plugs are often specific to detecting a common virus or vulnerability.
- Up to date information about new vulnerabilities and attacks. The Nessus team updates the list of what vulnerabilities to check for on a daily basis in order to minimize the window between an exploit appearing in the wild, and you being able to detect it with Nessus.
- Open-source. Nessus is open source, meaning it costs nothing, and you are free to see and modify the source as you wish.
- Patching Assistance: When Nessus detects a vulnerability, it is also most often able to suggest the best way you can mitigate the vulnerability.
126. What types of vulnerabilities are scanned by NESSUS?
Nessus allows scans for the following types of vulnerabilities:
• Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
• Misconfiguration (e.g. open mail relay, missing patches, etc.).
• Default passwords, a few common passwords, and blank/absent passwords on some system accounts.
• Nessus can also call Hydra (an external tool) to launch a dictionary attack.
• Denials of service against the TCP/IP stack by using mangled packets
• Preparation for PCI DSS audits
On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. In typical operation, Nessus begins by doing a port scan with one of its four internal portscanners (or it can optionally use Amap [1] or Nmap [2]) to determine which ports are open on the target and then tries various exploits on the open ports. The vulnerability tests, available as subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction.
Tenable Network Security produces several dozen new vulnerability checks (called plugins) each week, usually on a daily basis. These checks are available for free to the general public; commercial customers are not allowed to use this Home Feed any more. The Professional Feed (which is not free) also give access to support and additional scripts (e.g. audit files, compliance tests, additional vulnerability detection plugins).
Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. There exist many different commercial, free and open source tools for both UNIX and Windows to manage individual or distributed Nessus scanners.
If the user chooses to do so (by disabling the option 'safe checks'), some of Nessus' vulnerability tests may try to cause vulnerable services or operating systems to crash. This lets a user test the resistance of a device before putting it in production.
Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system, and can perform password auditing using dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they have been configured per a specific policy, such as the NSA's guide for hardening Windows servers.
No comments:
Post a Comment