|
|
|
||||||||||||
|
|
Secure Networks - Computer Forensics |
|
||||||||||||
|
Computer Forensics - Finding the CauseComputer Forensics is a reactive service that is provided after the security violation has occurred and it is necessary to cope with the situation.What happened? Who did it? How could this happen? What do we need to do now? How can we prevent this from happening again? Identifying causes - Eliminating vulnerabilities permanentlyAfter a security crash the cause of the incident is often left undetermined. With regard to the system's availability, the system is rebooted completely without looking further into the cause of the incident. This procedure is not recommendable. The goal should be in any case to determine and eliminate the vulnerabilities to prevent a crash like this from happening again. SRC supports you with the identification of the causes and the definition of counter measures with permanent effect.Identifying originatorsIdentifying the originator of the damage is important for incidents that may be subject to a claim for damages from your side. SRC supports you with securing lost, deleted or destroyed data on to IT-systems which can be used as evidence in court to identify the originator of a damage, to secure evidence usable in court proceedings and to reconstruct maliciously destroyed data.To recognise and limit the measure of damagesAfter a damage has been recognised its measure has to be determined. Without destroying evidence or threatening its usability in court, it has to be assessed which IT-systems and which information has to be considered as compromised. The identification of the specified measure of damages is relevant especially against the background of an efficient procedure in the limitation of damage. SRC supports you in recognising the measure of damages, the affected systems and information, and together we will define a procedure to limit the damage.CERT - quickly making the right decisions after a security incidentAfter a security incident, in certain cases it is all about reducing the measures of a damage and restoring regular operations as quickly as possible. A Computer Emergency Response Team (CERT) takes on this job. The security experts of SRC support you in making the right decisions so that the measure of a damage can be reduced as far as possible after a security incident. We help you to come to the right decision in the right moment and we stay focused even in times of crisis.Live-AnalysesFrequently, when a security incident is identified, the affected system is rebooted immediately without further investigation. From a security perspective, this implies that the cause of the incident is often not detected and that the rebooted system continues to be vulnerable to new attacks. In order to be able to determine the cause of the incident a detailed investigation is necessary. Therefore the system must be left in its current status. SRC supports you in the prompt live-analysis of the incident of the affected system and is able to react rapidly.E-mail ForensicsToday, businesses receive large amounts of unwanted e-mails. Normally, these are spam e-mails or messages with deceptive intent (phishing, Trojans, malware, etc.). However, there are also sporadic e-mails with offensive content. Flame e-mails that have been received from external sources can be destroyed or their emergence can be contained by using virus and spam filters. If the offensive flame e-mails presumably originate from the company's own network, current law dictates that the incident has to be prosecuted. The offence is an attack on the honour of a person through the announcement of defiance or disrespect. According to German law (§ 185 StGB) the offence will be punished with a prison sentence of up to one year or a monetary fine. Is the offence committed by means of assault it will be punished with a prison sentence of up to two years or a monetary fine. According to German law (§ 194 StGB) the offence will be pursued only upon request. Is an offence returned right away, the judge can exempt both or only one of the offenders from punishment according to German law (§ 199 StGB). With the aid of e-mail forensics the authenticity of the e-mail sender will be verified and simulated e-mails will be recognised.Reverse-EngineeringFrequently, computer systems are affected by malware (viruses, Trojans, spyware). Recent examples are Trojan horses that intercept passwords, PINs and TANs. For a detailed clarification of the incident the malware, which was found on the compromised system, has to be examined. SRC's consultants support you during the analysis of Trojan horses and will analyse the exact operation mode of the malicious software by reverse-engineering. Aim of the analysis is e.g. the collection of further information for the investigating authorities which contribute to the prosecution of the offender.Examples of use
ReferencesSRC supported among others a big German media enterprise on revealing an attack on their internet presence. We provided consultation regarding the evaluation of the impact and extent of the damage and compiled a concept to eliminate the vulnerabilities. SRC has conducted several post mortem incident analyses for internationally operating banks. SRC's consultants supported a big German telecommunication provider with the development of algorithms for forensic analyses of e-mail headers of message transport agents. Additionally, they were significantly involved in building and operating the first commercial CERT service provider in Germany. SRC has performed forensic analyses within the financial sector requested by MasterCard.
Infos
Detlef Kraus
Thilo W. Pannen Randolf Skerka  Telefon: +49(0)228 / 2806 - 0 Telefax: +49(0)228 / 2806 - 199 |
||||||||||||||
 Top
|
Copyright © SRC Security Research & Consulting GmbH | |||||||||||||
