Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Version Module LVII Computer Forensics and Incident Handling Ethical Hacking and Countermeasures v6 Module LVII: Computer Forensics and Incident handling Exam 312-50 Module LVII Page | 3969 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Scenario OrientRecruitmentInc is an online human resource recruitment firm The web server of the firm is a critical link Neo, the network administrator sees some unusual activity that is targeted towards the web server The web server is overloaded with connection requests from huge number of different sources Before he could realize the potential of the attack, the website of OrientRecruitmentInc falls prey to the much famous Denial of Service Attack The company management calls up the local Incident Response Team to look into the matter and solve the DoS issue What steps will the incident response team take to investigate the attack? EC-Council  Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Scenario Orient Recruitment Inc is an online human resource recruitment firm The web server of the firm is a critical link Neo, the network administrator, sees some unusual activity that is targeted towards the web server The web server is overloaded with connection requests from huge number of different sources Before he could realize the potential of the attack, the website of Orient Recruitment Inc falls to the famous Denial-of-Service attack The company management calls up the local Incident Response Team to look into the matter and solve the DoS issue What steps will the incident response team take to investigate the attack? Module LVII Page | 3970 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Module Objective This module will familiarize you with: • • • • • • • • • • • • Computer Forensics What is an Incident Categories of Incidents Incident Response Checklist Procedure for Handling Incident Incident Management Incident Reporting What is CSIRT Types of Incidents and Level of Support Incident Specific Procedures Best Practices for Creating a CSIRT World CERTs Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited EC-Council Module Objective This module will familiarize you with:  Computer Forensics  What is an Incident?  Categories of Incidents  Incident Response Checklist  Handling Incidents  Procedure for Handling Incident  Incident Management  Incident Reporting  What is CSIRT?  Types of Incidents and Level of Support  Incident Specific Procedures  Best Practices for Creating a CSIRT  World CERTs Module LVII Page | 3971 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Module Flow Computer Forensics Incident Reporting What is an Incident What is CSIRT Categories of Incidents Types of Incidents and Level of Support Incident Response Checklist Incident Specific Procedures Procedure for Handling Incident Best Practices for Creating a CSIRT Incident Management World CERTs EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module Flow Module LVII Page | 3972 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker To Know More About Computer Forensics, Attend EC-Council’s CHFI Program EC-Council Module LVII Page | 3973 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Computer Forensics EC-Council Module LVII Page | 3974 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker What is Computer Forensics “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.” "Forensic Computing is the science of capturing, processing and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a Court of Law.” Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited EC-Council  What is Computer Forensics? According to Steve Hailey of Cyber Security Institute, computer forensics is: “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.” Preservation The forensic investigator must preserve the integrity of the original evidence The original evidence should not be modified or damaged The forensics examiner must make an image or a copy of the original evidence and then perform his analysis He must also compare the copy with the original evidence to identify any modifications or damages Identification The first and foremost step that a forensics examiner needs to take before starting with his investigations is that he must identify the evidence and its location For example, evidence may be contained in hard disks, other removable media, or even log files Every forensic examiner must understand the difference between actual evidence and evidence containers Locating and identifying information/data is a challenge for the digital forensics investigator Various examination processes such as keyword search, log files analysis, and system check help in investigation Extraction The immediate step after identifying the evidence is to extract data from them as soon as they are located Since volatile data can be lost at any point of time, the forensic investigator must extract these data from the copy he had made from the original evidence This extracted data must be compared with the original evidence and analyzed Interpretation The most important role played by a forensic examiner during investigations is to interpret what he has actually found The analysis and inspection of the evidence must be interpreted in a lucid manner Documentation Module LVII Page | 3975 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Documentation relating to evidence must be maintained from the beginning of the investigation till the end where the evidence is presented before the court of law The documentation will comprise the chain of custody form and documents relating to evidence analysis Computer Forensics Methodologies The basic methodology consists of what one can think of as the three A’s:  Acquire the evidence without modifying or corrupting the original  Authenticate that the recovered evidence is the same as the originally seized data  Analyze the data without any alterations Due to the growing misuse of computers in criminal activities, there must be a proper set of methodologies for investigation Apart from methodologies, forensic tools also play an important role during investigations such as enabling the forensic examiner to recover deleted files, hidden files, and temporary data that the user may not locate The evidence acquired from computers are fragile and can be easily erased or altered There is another possibility where the seized computer can be compromised if not handled using proper methodologies The methodologies involved in computer forensics may differ depending upon the procedures, resources, and target of the company Stand-alone computers, workstations, servers and online channels are some fundamental areas; a forensic investigator must concentrate on Investigation of stand-alone computers, workstations and other removable media can be simple, whereas examination of servers and online channels can be complicated and tricky Auditing and logging during investigations are often not executed They play a key role during investigations They must be given due importance, as they will provide leads to the case Module LVII Page | 3976 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Need for Computer Forensics “Computer forensics is equivalent of surveying a crime scene or performing an autopsy on a victim” {Source: James Borek 2001} Presence of a majority of electronic documents Search and identify data in a computer Digital Evidence can be easily destroyed, if not handled properly For recovering Deleted, Encrypted, or Corrupted files from a system Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited EC-Council  Need for Computer Forensics According to James Borek (2001), “Computer Forensics is the equivalent of surveying a crime scene or performing an autopsy on a victim.” The importance of computer forensics has developed in the present day scenario where computers are vulnerable to malicious purposes Computers are either used as a tool to commit a crime or have become a target for these attacks Computers are used to commit crimes, and crimes can be recorded on computers, including company policy breaches, fraud records, email crimes, revealing of valuable proprietary information and even terrorist activities Law enforcement officials, network and system administrators of IT firms, attorneys and also private investigators depend upon qualified computer forensic experts to investigate their criminal and civil cases A majority of documents these days exist in electronic format Computer evidence is delicate in nature; therefore they must be recorded to avoid loss of valuable evidence Computer forensics includes locating and recovering data that resides in a computer system and also recovering deleted, encrypted or damaged data This data will be helpful during presenting testimony before the court of law Module LVII Page | 3977 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ethical Hacking and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Objectives of Computer Forensics To recover, analyze and present computerbased material in such a way that it can be presented as evidence in a court of law To identify the evidence in short time, estimate potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited EC-Council  Objectives of Computer Forensics The critical phase of a computer forensic investigation is presenting the inferences of the previous phases (acquiring and analyzing) The objective is obvious; you must present the discovered evidence in a way that is accepted by the court of law, which increases your chances of winning the case Other objective is to discover the evidence in short time with accuracy The impact of the crime on the victim, such as loss of reputation and data has to be estimated along with intent and identity of the intruder Module LVII Page | 3978 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited ... Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Module Flow Computer Forensics Incident Reporting What is an Incident What is CSIRT Categories of Incidents Types of Incidents... an Incident Categories of Incidents Incident Response Checklist Procedure for Handling Incident Incident Management Incident Reporting What is CSIRT Types of Incidents and Level of Support Incident. .. and Countermeasures v6 Computer Forensics and Incident Handling Exam 312-50 Certified Ethical Hacker Module Objective This module will familiarize you with: • • • • • • • • • • • • Computer Forensics