Digital_forensics_handbook.pdf
(
1930 KB
)
Pobierz
Digital forensics
Handbook, Document for teachers
September 2013
www.enisa.europa.eu
Digital forensics
Handbook, Document for teachers
September 2013
About ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre of network
and information security expertise for the EU, its member states, the private sector and Europe’s
citizens. ENISA works with these groups to develop advice and recommendations on good practice in
information security. It assists EU member states in implementing relevant EU legislation and works
to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks
to enhance existing expertise in EU member states by supporting the development of cross-border
communities committed to improving network and information security throughout the EU. More
information about ENISA and its work can be found at
www.enisa.europa.eu.
Authors
This document was created by the CERT capability team at ENISA in consultation with:
Don Stikvoort and Michael Potter from S-CURE, The Netherlands, Mirosław Maj, Tomasz Chlebowski,
Paweł Weżgowiec from ComCERT, Poland, Przemysław Skowron from Poland, Roeland Reijers from
Rubicon Projects, The Netherlands and Mirko Wollenberg from DFN-CERT Services, Germany.
Contact
For contacting the authors please use
CERT-Relations@enisa.europa.eu
For media enquires about this paper, please use
press@enisa.europa.eu.
Acknowledgements
ENISA wants to thank all institutions and persons who contributed to this document. A special
“Thank You” goes to the following contributors:
Jarosław Stasiak from BRE Bank, Poland, Łukasz Juszczyk from ING Services, Poland, Vincent
Danjean from Interpol, Daniel Röthlisberger and Frank Herbert from SWITCH, Switzerland,
Adam Ziaja and Dawid Osojca from ComCERT SA, Poland.
Legal notice
Notice must be taken that this publication represents the views and interpretations of the authors and
editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or
the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of charge. Neither
ENISA nor any person acting on its behalf is responsible for the use that might be made of the information
contained in this publication.
Reproduction is authorised provided the source is acknowledged.
© European Union Agency for Network and Information Security (ENISA), 2013
Page ii
Digital forensics
Handbook, Document for teachers
September 2013
Table of Contents
1
2
General Description
Introduction
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
Principle 1 – Data Integrity
Principle 2 – Audit Trail
Principle 3 – Specialist Support
Principle 4 – Appropriate Training
Principle 5 – Legality
2
3
4
5
5
5
5
3
4
5
6
7
8
Scenario
Task 1 – Identify characteristics in the HTTP session of fraud
Task 2 – Identify other attacked customers based on these characteristics
Task 3 – Hands-on analysis of memory process dump
Summary of the exercise
References
6
8
12
14
22
23
Page iii
Digital forensics
Handbook, Document for teachers
September 2013
Main Objective
Present the trainees with the principles of digital forensics and evidence
gathering. Establish a common knowledge of the requirements regarding
evidence admissibility in the court of law. Show a server-centric approach to
evidence gathering as a valuable source for further legal proceedings as well
as for establishing patterns of malicious activity. The patterns are then used
to quickly identify similar events from the past in the future as they take
place. The exercise also gives an overview of popular malware
characteristics, methods of identification and tools that may be used at the
scene.
The exercise is intended for CERT staff involved in the process of early fraud
investigations to establish mechanisms of fast response to future events and
detect similar actions in other archived data. It applies especially to events
when there is a possibility of further legal actions.
5.5 hours
Introduction to the exercise
0.5 hours
Targeted Audience
Total Duration
Task1:
Identify characteristics in HTTP session of fraud
1.5 hours
Time Schedule
Task 2:
Identify other attacked customers based on these
1.0 hours
characteristics
Task 3:
Hands-on analysis of memory process dump
2.0 hours
Summary of the exercise
Frequency
0.5 hours
It is advised to organise the exercise once a year or when new people join
the CSIRT/CERT team.
Page 1
Digital forensics
Handbook, Document for teachers
September 2013
1
General Description
The main goal of this exercise is to provide the trainees with technical knowledge of tools and
reasoning used in digital forensics. Trainees are required to focus on details during the examination
of system data as they craft a script to detect similar events throughout the evidence. They get
insights into network monitoring as well, learning that information gathered from logging systems
and IDS sensors is crucial in any investigation as well as in regular incident handling practices.
The course scenario is based on a common scheme of an electronic banking fraud, when the
evidence may only be gathered on the bank side. Only a small percentage of such cases include
examining evidence at the client side, especially in a situation where the case is not supported by
Law Enforcement Agencies or gains the support late in the investigation.
This exercise also presents the trainees with basic principles of evidence. At all times the trainees
should be aware of the documentary characteristics of the gathering process, and principles stated
in the exercise introduction must be applied.
The exercise consists of 3 components:
1. Identifying the pattern of the malicious activity,
2. Identifying other cases with the same pattern,
3. Analysing collected malware.
1
1
ENISA CERT Exercises – ‘Identification and handling of electronic evidence’ -
https://www.enisa.europa.eu/activities/cert/support/exercise
Page 2
Plik z chomika:
aur_ora
Inne pliki z tego folderu:
Cybersecurity and Cyberwar - Allan Friedman.azw3
(3377 KB)
Cybersecurity and Cyberwar - Allan Friedman.epub
(2715 KB)
Cybersecurity and Cyberwar - Allan Friedman.mobi
(1353 KB)
Rise and Kill First · The Secret History of Israel's Targeted Assassinations.epub
(40238 KB)
Rise and Kill First · The Secret History of Israel's Targeted Assassinations, The Secret History of Israel's Targeted Assassinations.epub
(9478 KB)
Inne foldery tego chomika:
Audiobooks
BZK
COMP TIA Practice Questions
Dokumenty
Galeria
Zgłoś jeśli
naruszono regulamin