- KonferenzbeitragPool Allocations as an Information Source in Windows Memory Forensics(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Schuster, Andreas; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensThe Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump.
- KonferenzbeitragAutomated resolving of security incidents as a key mechanism to fight massive infections of malicious software(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Kaiser, Jochen; Vitzthum, Alexander; Holleczek, Peter; Dressler, Falko; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensToday, many end systems are infected with malicious software (malware). Often, infections will last for a long time due to missing (auto- mated) detection or insufficient user knowledge. Even large organizations usually do not have the necessary security staff to handle all affected computers. Obviously, automated infections with malicious software cannot be handled by manual repair; new approaches are needed. One way to encounter automatic mass infections is to semi-automate the incident management. Less important security incidents should be handled by the user himself while serious incidents should be forwarded to qualified personal. To enable the end user resolving his own security incidents, both organizational and technical information have to be provided in a comprehensible way. This paper describes PRISM (Portal for Reporting Incidents and Solution Management), which consists of several components addressing the goal: a unit receiving security incidents in the IDMEF format, a component containing the logic for handling security incidents and corresponding remedies, and a component generating dynamic web pages presenting adequate solutions for recorded security incidents. PRISM was verified using case studies for universities, companies and end-user/provider scenarios.
- KonferenzbeitragCarmentiS: A Co-Operative Approach Towards Situation Awareness and Early Warning for the Internet(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Grobauer, Bernd; Mehlau, Jens Ingo; Sander, Jürgen; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensAbstract. Although plenty of organizations collect sensor data such as IDS alerts or darknet flows, local analysis has its definite limits when it comes to derive conclusions about happenings and trends within the Internet as a whole. CarmentiS, a joint effort of the early warning working group within the German CERT association, provides an infrastructure and organizational framework for sharing, correlating and cooperatively analyzing sensor data. The infrastructure allows organizations to submit sensor data – at the moment, net flows and IDS alerts are treated – over a secure channel to a central database. Cooperative analysis of the data is made possible via a secure web front end allowing analysts of participating CERTs to create and execute analysis profiles as well as share and discuss analysis results. Thus correlating sensor data and pooling know how and resources for analysis from different sites, CarmentiS provides a framework for a co-operative approach towards situation awareness and early warning for the Internet. This article gives an overview of the CarmentiS infrastructure and organizational framework, and describes the current status of the project. It also addresses open questions that can only be solved by experimenting with co-operative analysis and gives an outlook of possible further developments of the CarmentiS approach towards improved situation awareness and early warning.
- KonferenzbeitragEffectiveness of Proactive CSIRT Services(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Wiik, Johannes; Gonzalez, Jose J.; Kossakowski, Klaus-Peter; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensMany authors have suggested that Computer Security Incident Response Teams (CSIRTs) need to deliver more proactive services to stay effective, but there are hardly any studies investigating to what extent existing proactive services are indeed effective or how to make them more effective. We view the proactive services as cross-organisational learning processes, where CSIRTs facilitate learning between information providers (i. e. vendors of commercial off-the-shelf- software) and users of these information (i. e. users of such products) in the CSIRT constituency. Cross-organisational learning processes carry the promise of avoiding incidents and the hope of saving considerable resources, but only if the constituents are enabled to learn from the experiences of the past and from others effectively.
- KonferenzbeitragA Distributed Security Announcement Authoring System with CAIF Support(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Garbe, Anselm R.; Goebel, Oliver; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensMany Security Teams issue Security Announcements (aka Advisories) to their constituencies to provide them with up-to-date information about security problems in soft- or hardware and their mitigation by applying workarounds or patches. To be able to use the benefits of advanced document formats designed for this task, like the Common Announcement Interchange Format (CAIF), powerful software, that also implements an authoring process, is is a prerequisite. This article describes the architecture of and the authoring process implemented by a distributed authoring system based on but not limited to CAIF. It presents the parts of the system API to adapt, further develop, and integrate existing authoring systems, like the SIRIOS System into the distributed authoring process, based on web-service and classic RPC technology.
- Editiertes BuchIT-Incident Management & IT-Forensics - IMF 2006(2006) Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, Jens
- KonferenzbeitragDetecting New Patterns of Attacks — Results and Applications of Large Scale Sensoring Networks(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Voss, Torsten; Kossakowski, Klaus-Peter; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensIt is still not clear, how large scale sensoring networks can be turned into useful ressources of incident response teams. Recent research has shown that the work of incident response teams is clearly exposed to denial of service attacks if the handling of low number / high priority incidents is not separated from the work related to high number / low priority incidents [WK05]. This would imply that handling the magnitude of data coming from large scale sensoring networks will pose concrete operational problems to any incident response team dealing with it. While there are some strategies to mitigate this problem, we believe that only selecting the ’interesting’ events through filtering is not good enough and give away useful insights that are inside the data but not yet obviously visible for an unaware observer. Therefore our research objective is to identify successful strategies of how to extract useful data automatically out of large data sets. So far we have succeeded to improve a suggested algorithm and test it’s application in an operational setting. This paper will outline the algorithm, any improvement made as well as the key insights in it’s application.
- KonferenzbeitragThe Contribution of Tool Testing to the Challenge of Responding to an IT Adversary(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Lyle, James R.; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensThe investigator is being presented with more data and more types of data to analyze. The investigator cannot work without tools. Tools are needed to acquire and analyze the data and solve the case. If the accuracy of any tools is successfully challenged in a court of law, then any results based on the tools can be suppressed and not presented. Even if an investigation is not going to any formal proceeding, the investigator wants to know the limitations of any tools used in an investigation. This can best be accomplished by an independent assessment of the tools. This paper describes the Computer Forensics Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) in the United States. Currently, the CFTT project is developing tool specifications, test plans, test procedures, and test sets. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. Our approach for testing computer forensic tools is based on well-recognized international methodologies for conformance testing and quality testing
- KonferenzbeitragTechnical Development of Cyber Crime(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Schulz, Rolf; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, Jens
- KonferenzbeitragEstablishing a Centre for Information Security: Experiences from the Trial Period and Recommendations to Similar Initiatives(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Line, Maria B.; Røstad, Lillian; Göbel, Oliver; Schadt, Dirk; Frings, Sandra; Hase, Hardo; Günther, Detlef; Nedon, JensThe Centre for Information Security; a national centre of competence; was initiated to reduce the overall vulnerability related to ICT systems in Norway. The trial period ran from 2002-2005, and the centre is now permanently established. This paper presents the centre as it was operated during the trial period. The main activities performed are described, together with experiences and learning made. Recommendations to similar initiatives to be established are provided.