Assignment 7 - Security in
Networks
Hands-on Activity
(DUE April 11,
2003 by midnight EST)
Computer Forensics
"Cybercrime and
the use of information technology to facilitate criminal activity is a
never-ending race of evolving threats and responses. Almost all crimes affecting
businesses involve a computer system which is used as a virtual filing cabinet
or the actual instrument of a crime....the vast majority of documents and other
recorded information now exist in digital form....Security professionals and
investigators must not only know how to respond to an incident, but also need to
have the proper tools to aid them in handling digital evidence in a timely and
effective manner." Encase pamphlet from Guidance Software.
"The AccessData Forensic ToolkitTM (FTKTM)
offers law enforcement and corporate security professionals the ability to
perform complete and thorough computer forensic examinations. The FTK features
powerful file filtering and search functionality. FTK's customizable filters
allow you to sort through thousands of files to quickly find the evidence you
need. FTK is recognized as the leading forensic tool to perform e-mail
analysis."
Pre-assignment:
- Download and install a copy of the Forensic Toolkit:
http://www.accessdata.com/Product04_Download.htm?ProductNum=04
- Download and install a copy of the Known File Filter (KFF) Library from
the same location.
- Download the image file
http://csc.ColumbusState.edu/summers/NOTES/6126/labs/image3.zip
(15 M compressed; 43M compressed).
- Run FTK (Forensic Toolkit) and explore the different options.
Assignment:
- PART 1: Creating a new case, creating the directory structure and adding
files for analysis.
- Start / Create a new case with the following information:
- Case number: 24
- Case name: Messier
- Case path \Cases\Messier\
- In the Case Log Options Window, leave all items selected
- In the Processes to Perform Window, select MD5 Hash, SHA HAsh,
KFF Lookup and Full Text Index.
- In REFINE CASE - use defaults
- In REFINE INDEX - use defaults
- In the Add Evidence, use the file that you downloaded
- QUESTIONS:
- How many total files are there?
- How many KFF Alert Files are there? What are KFF Alert files?
- How many encrypted files are there?
- PART 2: Identify. Export and Bookmark Graphics and related files.
- Select serveral pictures of Saturn and add them to a bookmark named
"Saturn".
- Use the Full Text index search function to identify all files that
discuss Saturn and add those files to the bookmark.
- Change to the Bookmark and make sure the boxes for Include in
Report and Export Files are checked
- Create a report by going to the pull down menu file - Report
Wizard
- Enter NASA for the agency/company. Fill in your personal data.
- In the window Bookmarks - A select
- Yes, include bookmarks flagged "Include in report"
- Include thumbnails of obookmarked graphics
- Yes, export only files from bookmarks flagged "Export to report."
- In the window Bookmarks - B, select Add/Remove File
Properties and select the file properties: File Name, Path, Item #,
File Type, Category, L-Size, CrDate, ModDate, AccDate.
- In the window Graphics Thumbnails select Yes, include only graphics
flagged green in the Graphics View and 6 per row.
- Accept the defaults in the next three windows.
- Save your report for submission later.
- PART 3: Searching for Evidence. Use the Full Text index search functions
to answer the following questions:
- What is Stephen Hawking's birth date?
- On March 13, 1781, William Hershel discovered what he believed was a
comet. What was it?
- When did Galileo enter the University of Pisa?
- Who was the first scientist to discover the supernova near Cassiopeia?
- PART 4: Identifying contraband.
- Locate the unique graphic files marked as KFF Alert files. These files
represent known contraband. Identify the e-mail where these files originated
and add the files to a bookmark named "Contraband".
- Create a report for the Contraband files.
Post-assignment:
SUBMIT TO DROP-BOX in eCollege.
- Submit answers to questions from Part 1 and 3.
- Submit reports from Part 2 and 4.
- Answer the following questions:
- Describe several uses of FTK.
- Which feature of FTK did you find the most useful and why?
- Which feature of FTK did you find the most difficult to use and
why?
Discussion Questions
- (DUE April 9, 2003 by midnight EST) Select one of the following questions
to discuss in detail through the threaded discussion.
- You are designing a business in which you will host companies' web
sites. What issues can you see as single point of failure? List the
resources that could be involved. State ways to overcome each resource's
being a single point of failure.
- One argument in the security community is that lack of diversity is
itself a vulnerability. For example, Microsoft Internet Explorer is used by
over 90% of the Internet users. What security risk does this control of the
market introduce? Suppose there were two (each with significant share of the
parket). Would two negate that security risk? What about if there were
three? (NOTE: In 2002 over 80 vulnerabilities in IE patched; over 30 remain)
- How can a web site distinquish between a lack of capacity and a
denial-of-service attack? For example, web sites often experience a
tremendous increase in volume of traffic right after an advertisement with
the site's URL is shown on television during the broadcast of a popular
sporting event. That spike in usage is the result of normal access that
happens to occur at the same time. How can a site determine that high
traffic is reasonable?
- Suppose you have a high-capacity network connection coming into your
home, and you also have a wireless network access point. Also suppose you do
use the full capacity of your network connection. Describe reasons you might
still want to prevent an outsider from obtaining free network access by
intruding into your wireless network. (see the first slide of http://csc.ColumbusState.edu/summers/Research/IA-presentation.ppt)
- (DUE April 14, 2003 by midnight EST) Select a discussion from one or more
of your classmates and respond to their comments.
Webliography Assignment
(DUE April 14, 2003 by
midnight EST) Submit to the class Webliography 5 annotated links related to
network security. These will be added to our Information Assurance E-library
(http://csc.ColumbusState.edu/summers/e-library/security.html) You will receive 1
point if just a new link; 1 point if annotation for one of my links; or 2 points
if a new annotated link.