N10-007 Explain the purpose of various network access control models

802.1x

Posture assessment

A posture assessment is any evaluation of a system’s security based on settings and applications found. In addition to looking at such values as settings in the Registry or dates of files, NACs can also check 802.1x values—the group of networking protocols associated with authentication of devices attempting to connect to the network.

Quarantine network

Network Access quarantine prevents unhindered, free access to a network from a remote location until after the destination computer has verified that the remote computer’s configuration meets certain requirements and standards as outlined in a script.

To use NAQC, your remote-access computers must be running any of the following: Windows 98 Second Edition, Windows Millennium Edition, Windows 2000, or Windows XP Home or Professional. These versions of Windows support a connectoid that contains the connection information, the baseline script and a notifier component, which you can create using the Connection Manager Administration Kit (CMAK) in Server 2003. Finally, you’ll need an NAQC-compliant RADIUS server, such as the Internet Authentication Service in Server 2003, so that you can restrict network access.

Under NAQC, when a connection is established, the destination computers give the remote, connecting computer an IP address, but a “quarantine mode” is established.

In quarantine mode, the following restrictions are in effect:

A set of packet filters is enabled that restricts the traffic sent to and received from a remote-access client.
A session timer is enabled that limits the duration of a remote client’s connection in quarantine mode before being terminated.

Once the remote computer is in quarantine mode, the baseline script is run. If Windows runs the script and is satisfied with the result, it contacts the listening service running on the Server 2003 back-end machine and reports this result. Quarantine mode is then removed and normal network access is restored. Otherwise, the client is eventually disconnected when the session timer reaches the configured limit as described previously.

Summarize basic forensic concepts

First responder

Basic techniques to complete a field forensic recovery are the same for civilian and law enforcement analysts, but the frameworks differ in a couple of key areas. Searches by law enforcement are bound by the Fourth Amendment; searches by civilian investigators aren’t. Another difference is that law enforcement evidence is held to a higher standard of proof than civilian evidence.

Differences in how the camps work is obvious in the way crime scenes are treated:

Law enforcement: Officials set up a perimeter around a crime scene with the intention of keeping out anyone who could contaminate the scene. They can arrest anyone who doesn’t obey.
Civilian: Usually, a “crime scene” is handled by someone in charge of the equipment or location, such as a manager or supervisor. Because that person is in charge, if you interfere with the investigation, you’re fired or charged with trespassing.

Secure the area

As the computer forensic analyst, you’re usually not one of the first responders. Rarely are you called on to secure a crime scene. Regardless, you still need to know how this part of the process works so that you don’t inadvertently compromise the perimeter or crime scene:

1. A first responder always assumes that a crime is still in progress until they can secure the scene.
Safety for themselves and others is paramount at this point. If anyone requires medical assistance, it occurs now.
2. After a first responder verifies that the crime scene is no longer a danger or threat, evidence preservation becomes the priority.
Perimeters are set up, and all suspects, witnesses, and bystanders are separated and questioned.
3. After perimeters are set up, access is controlled, and documentation begins, first responders prepare to hand over the crime scene to the lead investigator or investigator in charge (IIC) depending on what term is used in your jurisdiction.
Handing off the responsibility to the lead investigator requires a briefing to exchange as much detailed information as time permits.
4. The lead investigator does a scene walk-through to figure out exactly what needs to be done to process the crime scene.
5. You receive a call to pick up your toolkit and start making your way to the crime scene.
6. When you arrive at the crime scene, you contact the lead investigator to receive a full briefing.

Your documentation should now be in motion. During the briefing, ask which protocols are in place for the crime scene, such as access, suspect locations, witness locations, types of equipment that investigators think they have, and, most importantly, which evidence you need to look for.

Document the scene

You have the lay of the land and have been briefed by the person in charge. Now what? The next step you take is documenting the scene, or surveying the scene. In this step, you’re essentially recording in some form the scene as you came upon it and quite possibly your actions at the scene up to when you leave.

Always consult the policies and procedures in your local area before starting your survey.

When you begin your survey, follow these steps:

Interview owners and users before stepping foot in the crime scene.

You interview the owners or users of the system to begin building an idea of what environment you’re walking into. Questions you typically ask involve the purpose of the computer, any passwords, any encryption, destructive devices, and whether any off-premise storage devices are used. Make sure to interview people separately and in the presence of another member of your team.

Videotape the crime scene.

Your first step into the crime scene should stop right there. Take a 360-degree look around to get your bearings. At this point, you should be knee-deep in the documentation process to show what the scene looked like before you walked in.

Do a walk-through.

Walk through the crime scene to look at items that give you insight into which type of computer system you’re dealing with.

Check the suspect’s computer and devices.

It’s time for your documentation and analysis of the suspect’s computer and devices.

Decide where to do the analysis.

Decide whether to do a field analysis or pack everything and take it to your lab. Most of the time, you pack up.

If you head to the forensic lab for further analysis, document where everything was placed as you start to tear down the crime scene for analysis in your lab.

eDiscovery

Discovery rules are designed to eliminate surprises. Unlike in TV dramas, surprising your opponent with information, witnesses, or experts doesn’t happen. If you think about it, without rules against surprises, trials might never end! Each side would keep adding surprises.

You can think of discovery as a multistage process, most often a painful one, of identifying, collecting, searching, filtering, reviewing, and producing information for the opposing side in preparation for trial or legal action. For e-discovery, you as a computer forensic expert play a starring role, as do the software and toolset you use. Many cases settle on the basis of information that surfaces during discovery and negotiations.

E-discovery demands can become a weapon in many cases. Parties have even been forced to settle winnable cases to avoid staggering e-discovery costs. E-discovery rules try to prevent the risk of extortion by e-discovery. Suppose that a company estimates that defending itself in a lawsuit would cost $1.3 million for e-discovery plus other legal fees. If the company were being sued for less than e-discovery costs, the case wouldn’t get to court. The company would be predisposed to settle the lawsuit to avoid the cost of the e-discovery process.

Evidence/data collection

You first deal with evidence and the rules of evidence early in a case, during discovery, the investigative phase of the litigation process. When you deal with e-evidence, this process is cleverly referred to as electronic discovery, or e-discovery. Each side has to give (or produce) to the other side what they need in order to prepare a case.
Discovery rules are designed to eliminate surprises. Unlike in TV dramas, surprising your opponent with information, witnesses, or experts doesn’t happen. If you think about it, without rules against surprises, trials might never end! Each side would keep adding surprises.

Chain of custody

The care, control, and accountability of evidence at every step of an investigation to verify the integrity of the evidence. The process of validating how the e-evidence was gathered, tracked, and protected on its way to a court of law. If you don’t have a chain of custody, you don’t have evidence.

Data transport

After you have everything in your vehicle and ready to go, head straight to the lab. Don’t make any side trips or take longer than is necessary, because you’re dealing with fragile evidence. Letting computer equipment and media sit in a hot vehicle is always a bad idea. Keep in mind these risks when transporting e-evidence to the lab:

Heat: Never let the evidence sit in a hot car! Severe heat warps disc drives and makes evidence unreadable.
Sunlight: Direct sunlight can damage evidence by raising heat levels quickly.
Static electricity: Vehicle carpets and low humidity generate static electricity that causes massive amounts of electrical mayhem to any evidence. Use rubber mats.
Momentum: A vehicle in motion has brakes. Its contents have momentum. To avoid bashing around the evidence, secure it!
Environmental factors: Be alert to what’s in your car and what you put into it. Electromagnets, high-wattage radios, or anything that generates energy either magnetically or by way of radio frequency has the potential to harm computer evidence.

Forensics report

Most people hate to do paperwork. Most types of paperwork have a purpose, though. The computer forensic investigative world is no different: Paper trails are essential to document the what, why, where, and how of a case. Although forms and reports vary among organizations, here are the basic types:

Chain of custody: This form shows where the evidence has been and who has been responsible for it.
Intake form: Detail on this inventory list the equipment you have accepted into your custody. This type of form is related to the chain-of-custody form, but is used as a reference for you or your department.
Case journal: On this running list, record what analysis you’ve done and its results. Most forensic software toolsets have this function built in. Keep a case journal if you’re not using a tool.

Legal hold

Legal hardball is expensive, irrational, and rampant. Parties involved in commercial or civil litigation often defy rational behavior. (Commercial litigation covers business and employment disputes.) In contentious divorce actions, the crazy-meter can go off the chart. Litigation cases range from relatively simple matters to complex, money-burning sagas that take years to resolve.

For all types of cases at all times, the devil is in the details. Small items in an investigation, if overlooked, open loopholes that the opposing side can use to undercut your results and make you look incompetent. Loopholes may be either party’s best or only chance of winning. Learn how to harness loophole power. The opportunity to harm the case or be humiliated on the witness stand is unlimited, for either not following standard procedure or not being able to defend what you did or did not do. By making informed choices about forensic methods and work habits, you defend your analysis and opinions from fact spinning by the opposition.

Popular posts

Recent Posts

Recent Comments

Categories

N10-007 Explain the purpose of various network access control models