Assignment 7 - Security in Networks

Hands-on Activity
(DUE April 11, 2003 by midnight EST)

Computer Forensics

"Cybercrime and the use of information technology to facilitate criminal activity is a never-ending race of evolving threats and responses. Almost all crimes affecting businesses involve a computer system which is used as a virtual filing cabinet or the actual instrument of a crime....the vast majority of documents and other recorded information now exist in digital form....Security professionals and investigators must not only know how to respond to an incident, but also need to have the proper tools to aid them in handling digital evidence in a timely and effective manner." Encase pamphlet from Guidance Software.
"The AccessData Forensic ToolkitTM (FTKTM) offers law enforcement and corporate security professionals the ability to perform complete and thorough computer forensic examinations. The FTK features powerful file filtering and search functionality. FTK's customizable filters allow you to sort through thousands of files to quickly find the evidence you need. FTK is recognized as the leading forensic tool to perform e-mail analysis."

Pre-assignment:

Download and install a copy of the Forensic Toolkit:
http://www.accessdata.com/Product04_Download.htm?ProductNum=04
Download and install a copy of the Known File Filter (KFF) Library from the same location.
Download the image file
http://csc.ColumbusState.edu/summers/NOTES/6126/labs/image3.zip
(15 M compressed; 43M compressed).
Run FTK (Forensic Toolkit) and explore the different options.

Assignment:

PART 1: Creating a new case, creating the directory structure and adding files for analysis.
- Start / Create a new case with the following information:
  1. Case number: 24
  2. Case name: Messier
  3. Case path \Cases\Messier\
- In the Case Log Options Window, leave all items selected
- In the Processes to Perform Window, select MD5 Hash, SHA HAsh, KFF Lookup and Full Text Index.
- In REFINE CASE - use defaults
- In REFINE INDEX - use defaults
- In the Add Evidence, use the file that you downloaded
- QUESTIONS:
  1. How many total files are there?
  2. How many KFF Alert Files are there? What are KFF Alert files?
  3. How many encrypted files are there?
PART 2: Identify. Export and Bookmark Graphics and related files.
1. Select serveral pictures of Saturn and add them to a bookmark named "Saturn".
2. Use the Full Text index search function to identify all files that discuss Saturn and add those files to the bookmark.
3. Change to the Bookmark and make sure the boxes for Include in Report and Export Files are checked
4. Create a report by going to the pull down menu file - Report Wizard
  1. Enter NASA for the agency/company. Fill in your personal data.
  2. In the window Bookmarks - A select
    1. Yes, include bookmarks flagged "Include in report"
    2. Include thumbnails of obookmarked graphics
    3. Yes, export only files from bookmarks flagged "Export to report."
  3. In the window Bookmarks - B, select Add/Remove File Properties and select the file properties: File Name, Path, Item #, File Type, Category, L-Size, CrDate, ModDate, AccDate.
  4. In the window Graphics Thumbnails select Yes, include only graphics flagged green in the Graphics View and 6 per row.
  5. Accept the defaults in the next three windows.
  6. Save your report for submission later.
PART 3: Searching for Evidence. Use the Full Text index search functions to answer the following questions:
1. What is Stephen Hawking's birth date?
2. On March 13, 1781, William Hershel discovered what he believed was a comet. What was it?
3. When did Galileo enter the University of Pisa?
4. Who was the first scientist to discover the supernova near Cassiopeia?
PART 4: Identifying contraband.
1. Locate the unique graphic files marked as KFF Alert files. These files represent known contraband. Identify the e-mail where these files originated and add the files to a bookmark named "Contraband".
2. Create a report for the Contraband files.

Post-assignment: SUBMIT TO DROP-BOX in eCollege.

Submit answers to questions from Part 1 and 3.
Submit reports from Part 2 and 4.
Answer the following questions:

Describe several uses of FTK.
Which feature of FTK did you find the most useful and why?
Which feature of FTK did you find the most difficult to use and why?

Discussion Questions

(DUE April 9, 2003 by midnight EST) Select one of the following questions to discuss in detail through the threaded discussion.
- You are designing a business in which you will host companies' web sites. What issues can you see as single point of failure? List the resources that could be involved. State ways to overcome each resource's being a single point of failure.
- One argument in the security community is that lack of diversity is itself a vulnerability. For example, Microsoft Internet Explorer is used by over 90% of the Internet users. What security risk does this control of the market introduce? Suppose there were two (each with significant share of the parket). Would two negate that security risk? What about if there were three? (NOTE: In 2002 over 80 vulnerabilities in IE patched; over 30 remain)
- How can a web site distinquish between a lack of capacity and a denial-of-service attack? For example, web sites often experience a tremendous increase in volume of traffic right after an advertisement with the site's URL is shown on television during the broadcast of a popular sporting event. That spike in usage is the result of normal access that happens to occur at the same time. How can a site determine that high traffic is reasonable?
- Suppose you have a high-capacity network connection coming into your home, and you also have a wireless network access point. Also suppose you do use the full capacity of your network connection. Describe reasons you might still want to prevent an outsider from obtaining free network access by intruding into your wireless network. (see the first slide of http://csc.ColumbusState.edu/summers/Research/IA-presentation.ppt)
(DUE April 14, 2003 by midnight EST) Select a discussion from one or more of your classmates and respond to their comments.

Webliography Assignment
(DUE April 14, 2003 by midnight EST) Submit to the class Webliography 5 annotated links related to network security. These will be added to our Information Assurance E-library (http://csc.ColumbusState.edu/summers/e-library/security.html) You will receive 1 point if just a new link; 1 point if annotation for one of my links; or 2 points if a new annotated link.