Tuesday 18 December 2012

six-step methodology for volatile data collection

Methodology for volatile data collection

Step 1: Incident Response Preparation.
Step 2: Incident Documentation.
Step 3: Policy Verification.
Step 4: Volatile Data Collection Strategy.
Step 5: Volatile Data Collection Setup.
Step 6: Volatile Data Collection Process.
These steps are designed to be used by an investigator to investigate intrusion cases common to larger networks. For purposes of this document, our focus is on Step 6. Steps in the Volatile Data Collection Process Step 6, Volatile Data Collection Process, involves the following five steps:
  1. Collect uptime, date, time, and command history for the security incident.
  2. As you execute each forensic tool or command, generate the date and time to establish an audit trail.
  3.  Begin a command history that will document all forensic collection activities.
  4. Collect all types of volatile system and network information.
  5. End the forensic collection with date, time, and command history.
A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer. Some of the currently used tools include Helix, a bootable CD that is a collection of incident response tools, and “dd,” a tool written by George Garner to capture RAM . With the understanding that computer systems contain potential evidence that could be destroyed if traditional computer evidence collection methods are employed, investigators can use the following basic steps when collecting volatile evidence:
  •  Maintain a log of all actions conducted on a running machine.
  • Photograph the screen of the running system to document its state.
  •  Identify the operating system running on the suspect machine.
  •  Note date and time, if shown on screen, and record with the current actual time.
  • Dump the RAM from the system to a removable storage device.
  •  Check the system for the use of whole disk or file encryption.
  • Collect other volatile operating system data and save to a removable storage device.
  • Determine evidence seizure method (of hardware and any additional artifacts on the hard drive that may be determined to be of evidentiary value).
  • Complete a full report documenting all steps and actions taken.
These basic steps allow the on-scene investigator to collect data that was previously overlooked as unnecessary or simply lost out of ignorance. Open source and commercial tools are currently available that easily allow for this methodology to be followed on a running system. The RAM is dumped first to capture the greatest amount of evidence available. It must be noted that inserting any device into the running system (flash drive, removable drive, or CD) will make minor changes to the system, albeit very small changes. The proper use of these tools does not add evidence or contraband to the system. Running a program to dump the RAM requires that a very small amount of RAM be occupied by the tool to conduct the RAM dump. Inserting a removable drive into a USB port adds an entry to the Microsoft Registry. All of these changes have no effect on the overall state of the evidence and can be further documented at a later time by a traditional forensic examination. Some small changes are made during the process of using some of the available tools that require interaction with the Windows operating system. These changes however, occur to the operating system files only and do not fundamentally change the content of the data saved on the system.

  • Step 1: Incident Response Preparation.
  • Step 2: Incident Documentation.
  • Step 3: Policy Verification.
  • Step 4: Volatile Data Collection Strategy.
  • Step 5: Volatile Data Collection Setup.
  • Step 6: Volatile Data Collection Process.
These steps are designed to be used by an investigator to investigate intrusion cases common to larger networks. For purposes of this document, our focus is on Step 6. Steps in the Volatile Data Collection Process Step 6, Volatile Data Collection Process, involves the following five steps:
  1. Collect uptime, date, time, and command history for the security incident.
  2. As you execute each forensic tool or command, generate the date and time to establish an audit trail.
  3. Begin a command history that will document all forensic collection activities.
  4. Collect all types of volatile system and network information.
  5. End the forensic collection with date, time, and command history.
A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer. Some of the currently used tools include Helix, a bootable CD that is a collection of incident response tools, and “dd,” a tool written by George Garner to capture RAM . With the understanding that computer systems contain potential evidence that could be destroyed if traditional computer evidence collection methods are employed, investigators can use the following basic steps when collecting volatile evidence:
  1.  Maintain a log of all actions conducted on a running machine.
  2.  Photograph the screen of the running system to document its state.
  3. Identify the operating system running on the suspect machine.
  4. Note date and time, if shown on screen, and record with the current actual time.
  5. Dump the RAM from the system to a removable storage device.
  6. Check the system for the use of whole disk or file encryption.
  7. Collect other volatile operating system data and save to a removable storage device.
  8. 8.   Determine evidence seizure method (of hardware and any additional artifacts on the hard drive that may be determined to be of evidentiary value).
  9. Complete a full report documenting all steps and actions taken.
These basic steps allow the on-scene investigator to collect data that was previously overlooked as unnecessary or simply lost out of ignorance. Open source and commercial tools are currently available that easily allow for this methodology to be followed on a running system. The RAM is dumped first to capture the greatest amount of evidence available. It must be noted that inserting any device into the running system (flash drive, removable drive, or CD) will make minor changes to the system, albeit very small changes. The proper use of these tools does not add evidence or contraband to the system. Running a program to dump the RAM requires that a very small amount of RAM be occupied by the tool to conduct the RAM dump. Inserting a removable drive into a USB port adds an entry to the Microsoft Registry. All of these changes have no effect on the overall state of the evidence and can be further documented at a later time by a traditional forensic examination. Some small changes are made during the process of using some of the available tools that require interaction with the Windows operating system. These changes however, occur to the operating system files only and do not fundamentally change the content of the data saved on the system.

Hacker News


Israeli Musical Act Magazine hacked
Anonymous member with twitter handle @OsamaTheGod leaked a huge database from server of Israeli Musical Act Magazine (act.co.il). The leaked database posted on public note website and includes users ID, username, password in clear text, IP address and phone numbers. Hacker posted data of about 10000 users from the site. Reason of hack yet not mentioned anywhere, but because hacker use #OpIsrael hash in his tweets, so this could be an attack against Israel in fight of Anonymous vs Israel.


NEW DELHI: The Bharat Sanchar Nigam Limited (BSNL) website, www.bsnl.co.in, was hacked and defaced on Thursday afternoon. A message on the home page said the attack was carried out by the hacktivist group, Anonymous India, as a protest against section 66 A of the IT Act and in support of cartoonist Aseem Trivedi, on an indefinite hunger strike at Jantar Mantar since Dec 8 for the same. The website was restored around 7 pm. .
Trivedi said he had received a call from Anonymous around 1.30 in the afternoon informing him that the website has been defaced. On being asked if such a form of protest was valid, Trivedi said, "When the government doesn't pay heed to people's protests against its laws and arrests innocent people for Facebook posts, then such a protest is absolutely valid."
For most of the afternoon and early evening, the BSNL website wasn't available directly. A cached version of the BSNL home page showed an image of cartoonist Trivedi with text that read "Hacked by Anonymous India. support Aseem trivedi (cartoonist) and alok dixit on the hunger strike. remove IT Act 66a databases of all 250 bsnl site has been d Hacked by Anonymous India (sic)". While this message was repeated over and over on the page, it ended with the line "Proof are (sic) here" followed by a link to a page containing the passwords to BSNL databases. BSNL officials were unaware of the attack until Thursday evening.
Late in the evening, Anonymous India tweeted from their account @opindia_revenge: "BSNL Websites hacked, passwords and database leaked... Anonymous India demands withdrawal of Sec 66A of IT Act."
In an open letter to the Government of India posted on alternate media website Kafila in June this year, Anonymous had explained they only carried out Distributed Denial of Service (DDoS) attacks on Indian government websites, which is different from the act of hacking per se.
Contrary views too exist. Sunil Abraham, executive director, Centre for Internet and Society, says the attack was unwarranted. "Speech regulation in India is not a lost cause, the Minister is holding consultations, MPs are raising the issue in Parliament, courts have been approached and there is massive public outcry on social media. Therefore I would request Anonymous India to desist from defacing websites," said Abraham. A group of MPs, including Baijayant Jay Panda from Odisha, are scheduled to present a motion in Parliament on Friday morning for the amendment of section 66A of the IT Act.
Last month, two young girls were arrested in Palghar, Maharashtra, for criticizing on Facebook the bandh that followed the death of Shiv Sena supremo Balasaheb Thackeray. Before that, Karti Chidambaram, son of finance minister P Chidambaram, took a man to court for commenting on his financial assets on Twitter. In both cases, the complainant 'used' section 66 A of the IT Act. The section and the Act have since come in for wide debate regarding freedom of speech.

SCADA


In what industries are SCADA systems used?
SCADA systems can be used to monitor and control any kind of equipment, process, or operation. Most commonly, they automate complicated industrial processes where manual monitoring and control by human operators just isn't feasible. This includes:
  • electric power generation, transmission, and distribution 
  • water and sewage
  • buildings, facilities, and environments
  • manufacturing
  • mass transit
  • traffic signals.
These are only a few common examples, however. SCADA systems are a global reality.
How does monitoring and controlling in real time increase my efficiency and maximize my profitability?
Here's a short list of the tasks you can perform using SCADA systems:
  • You can pull up numerical measurements of critical process values (both the current value and trends over time).
  • You can identify and solve problems before they even start.
  • You can keep your eye on long-term trends and threats.
  • You can identify and attack bottlenecks and inefficiencies throughout the enterprise
  • You can effectively manage bigger and more complicated processes with a smaller and less trained staff.
SCADA systems enable you to keep a very close eye on your operations. You can deploy sensors and control relays at important places to get a highly detailed "birds eye view" of your revenue-generating activities. With SCADA, you will incur less cost while doing more.

You can divide the functions of SCADA systems into four major categories:
1.    Data acquisition
2.    Data communication
3.    Data presentation
4.    Control

1 - Data Acquisition
SCADA systems have to monitor hundreds or perhaps thousands of individual sensors. Some sensors are put in place to measure inputs into the system, while others measure outputs.
Some sensors (known as discrete sensors) are used to monitor very simple "binary" events. These events are either "on" or "off". For example, every time a particular piece of production equipment in a manufacturing plant completes a process, it may output an electrical signal via a contact closure. A discrete sensor will detect this electrical signal and report it back to you at the control console of your SCADA system.
Other sensors measure more complicated values where it's critical to know the exact value. These are called analog sensors, and they measure continuous changes within a possible range of values.
A simple mercury thermometer is a great example of an analog sensor - whereas a simple thermostat is the discrete form of temperature sensor. With the mercury thermometer, you know exactly what the temperature is (within a specific degree of accuracy, of course). With the thermostat, you only know that the temperature is either above or below the value that you preset.
Obviously, analog measurement is important in SCADA systems where you need to keep track of fluid levels in water and fuel tanks, voltages of batteries, temperature, humidity, and other values that are most appropriately measured with a continuous range "analog" sensor.
To make it simpler for a human operator to interact with analog sensors, the best SCADA systems allow you to define a normal range for an analog value. For instance, you might specify that the temperature in your server room should remain between 60 and 79 degrees Fahrenheit. If the temperature in the server room goes outside this range, your SCADA system will provide an automated alert - either at a control console or directly to you via cell phone or e-mail.

2 - Data Communication
SCADA systems involve monitoring multiple processes and pieces of equipment from a single location. To do this, you have to have a communications network to bring remotely collected data to your screen.
Data in modern SCADA systems is typically transported via ethernet or IP over SONET. It is important, however, to keep SCADA traffic off of the public Internet. This is an important security measure against both the real and perceived threats of terrorism. Public infrastructure and utilities and manufacturing facilities are valuable targets for disruptive attacks. This makes it very important to take at least basic security precautions.
Fortunately, the trend in SCADA systems today is toward open protocols and data formats. While older systems locked you into a single manufacturer to maintain compatibility, today you have many options based on DNP3 and MODBUS Protocols. If you buy a piece of DNP3 MODBUS equipment today, you can buy compatible equipment tomorrow from one of many other manufacturers. This protects you from the trap of only having a single source for expanding your SCADA system.
In order for your central SCADA console to receive information from sensors, which are very simple devices, you need to install an RTU (Remote Telemetry Unit) at each monitored location. An RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you.
The same communication works in reverse (from you to your RTU) for control commands. In this scenario, you would issue a command from your central SCADA console. That command would be encoded into the SCADA protocol you are using and sent out across your network. The appropriate RTU would receive and decode your command, then respond by latching a control relay. This command process tells the equipment that you have wired into your RTU to perform a specific action.
Issuing commands remotely provides the substantial benefit of not having to drive out to distant sites every time you receive a SCADA alarm or other alert. In many cases (if you prepared appropriately during your installations), you can skip the drive time and simply issue a remote command.

3 - Data Presentation

As a human being, you can't just sit down to read SCADA data in its raw format (at least, you'd never want to). In order to provide at-a-glance status information and make it easier to train new SCADA operators, SCADA systems display information in human readable format at central consoles and via remote alerts.
The central computer in SCADA systems is known as a master station, a HMI (Human-Machine Interface), or in HCI (Human-Computer Interface), depending on who you're talking to. All of these terms mean the same thing: a computer console that aggregates and summarizes data from your SCADA system and offers the ability to issue controls.
Part of aggregating and summarizing the status of your operations and processes is filtering alarms that operator doesn't need to see. In any operation of substantial size, you run the risk of overloading your operators with frequent, meaningless alerts that they'll quickly learn to ignore. The first time a "real" alarm comes in, it's likely to be missed in the noise of unimportant alarms.
That's exactly why quality SCADA systems allow you to choose which alarms your operators should see. You can filter on location, severity, or the amount of time alarm condition has existed. Just a few carefully designed filters will hide unimportant "nuisance" Alarms from view. All the data is still there, but the operator you hired last week won't be overloaded with worthless information.
After filtering alarms, SCADA systems have to present the data that remains. This can come in all sorts of formats, but the best systems have graphical interfaces that are easy to see and interpret. Ideally, you want a system that offers multiple display options, including geographic maps, blueprints and floor plans, photographs of rack-mounted and other equipment.
Also, if you don't want to be stuck at a central console all the time, you need to choose a SCADA master station that can be accessed by multiple users via remote network connection.
Choose SCADA systems that can send out automatic e-mail and pager/cell phone alerts. This also helps increase your mobility. These updates also provide faster notification of emerging problems that you can tackle from the field without returning to your central office.

4 - Control
As mentioned earlier in our discussion of RTU's, one key function of SCADA systems is to control equipment remotely (and sometimes automatically). It's just not efficient to go to the site of the problem every time you get an alarm. In SCADA, if it seems like there must be a better way, there probably is.
When it comes to controlling equipment remotely, that better way is control relay commands issued from your SCADA master station and transmitted to your RTU's via your network. In this way, you can control equipment as if you were there - without actually wasting any time traveling.
Even better, advanced SCADA systems allow you to pre-specify responses to specific alarms, combinations of alarms, or predefined scenarios. Once you've completed this preliminary databasing, your SCADA system will respond automatically within seconds when automatic control condition is triggered. This is an excellent way to switch to a backup system in the event of a primary system failure, especially in public safety, telecom, transit, and manufacturing environments.

How do I find the right SCADA systems for my needs?

SCADA systems are major B2B purchases that your company will be using for perhaps 10 or 15 years. You don't want to make a mistake.
Even though the goal of SCADA is to improve your operations, making a hasty decision that turns out to being correct can hurt you in many ways. You could end up spending a fortune on band-aid fixes for a system you didn't fully planned out beforehand. You might also find that you've totally exceeded your budget without coming close to the original specifications. There's also the chance that you'll make a mistake you won't detect until a few years down the line -building a system that isn't flexible enough to grow as your company does.
To make sure that you pick the right SCADA systems during your evaluation period, make sure that any system you select meets the criteria discussed in the next few sections:
What do I look for in a SCADA RTU?
You need to choose RTU that can communicate with all of your equipment and simply survive in the harsh industrial conditions at your sites. Here are some key criteria look for:
You need to choose an RTU that has sufficient capacity. With that said, you don't want to purchase way more capacity than you'll ever need. That's just as wasteful as not planning enough capacity. Take a survey of your monitoring needs before you select an RTU so you'll know what capacity to look for. Also, look for a SCADA systems vendor who has a wide range of models available. This helps to reduce purchasing hassles later because you only need to deal with one SCADA supplier.
Also, you should look for industrial-grade construction. An RTU in a plastic chassis just isn't going to cut it in your environment. Look for powder-coated metal, high resistance to electromagnetic interference, and an industrial temperature rating (if required).
RTU's with redundant power supplies are equipped to handle the fairly common failure of their embedded power supplies. SCADA systems are 24/7 operations that you can't afford to have fail.
You should also look for RTU's that have nonvolatile memory that can be accessed via LAN. This allows for settings and upgraded firmware to be stored and preserved during power loss. Remote accessibility via LAN enables you to upgrade all the RTU's in your SCADA system from your desk - instead of performing unnecessary site visits.
Control relays are also important features for RTU's. Otherwise, they can only notify you of problems and will not provide a way to remotely respond. It's also a good idea to choose RTU that can automatically latch its relays in response to prespecified events.
Embedded real-time clock allows an RTU to accurately date-and-timestamp it alarm messages. This is useful both for real-time and historical reporting.
What do I look for in a SCADA master?
In order for your SCADA master display data effectively, it must have a few key features.
Look for a system that lets you program responses to complex events. This helps to reduce training required for new operators of your SCADA system - and the chance of a costly human error.
Also, you should seriously consider all SCADA systems that support 24/7 e-mail and cell phone notifications. These notification methods send alarms to people who may not be at the central master station at the time. An intelligent SCADA master should allow you to set filters for which alarms should be forwarded to e-mail or cell phone.
Quality SCADA systems include a master that describes alarm in plain English - without technical jargon that only one person at your company has a hope of understanding. To increase ease-of-use, the SCADA master should also filter nonessential alarms that do not need to be displayed.
Make sure your SCADA master supports expansion at a later time. SCADA systems are long-term investments, and you want to make sure you get your money's worth.
Finally, and most importantly, choose a SCADA master that supports multiple protocols (like DNP3 and MODBUS) and equipment types (like RTU's, servers, switches, generators, and manufacturing equipment). You never want to have to split your alarms into multiple SCADA systems because you can't achieve compatibility any other way. That multiplies the amount of manpower required to manage your operations effectively, while increasing the chance that you'll miss an important alarm and have a major problem. Also, look for sensible pricing/licensing when you're looking at offerings from different vendors. Avoid any pricing model that requires you to pay a fee every time you add a new monitored device. You shouldn't have to pay extra just to use the SCADA system you already bought.