Digital Forensics, from floppies to the Cloud. Can Darwin win the game of digital evolution?

Transcription

1 @kerouanton #ISC2CongressEMEA Digital Forensics, from floppies to the Cloud Can Darwin win the game of digital evolution?

2 Digital Sherlock in a nutshell SOME BASICS

3 Types of digital forensics Investigations Criminal Police Incident Management Breach analysis Data recovery Legal archives

4 Typical forensic workflow

5 From theory to reality SEIZING EVIDENCE

6 The Theory

7 The Reality

8 Diversity

9 Home-made NAS for P2P sharing

10 Physical size vs Logical Size

11 Inventory complexity EVIDENCE COLLECTION

12 Extracting physical media

13 Apple annoyances

14 A typical issue

15 Moore s Law, best ennemy! Major issue with disk size : million of porn files - 18 Tb of disks Several months analysis Very complex case Can quickly become unmanageable.

16 Media gathering Issues Physical Size Logical Size Quantity Diversity Micro-SD cards Terabytes low storage price 10s of formats

17 Another typical issue

18 Cellphone investigation? Priceless! CELL PHONES

19 The cables nightmare

20 Very expensive kits...

21 Police Loves Hard Cases FIELD KITS

22 DNA Field Kit

23 Drone Field Kit

24 GSM Relay Field Kit

25 Cell-phones Field Kit

26 Disk imaging Field Kits

27 All-In-One Field Kit

28

29

30 Seriously, Who can afford this?

31 Mindboggling Parallelization IN THE LAB

32

33

34

35

36 Evidence storage

37 FILE CARVING

38 So many filesystems

39 800 file formats, and more Most forensics tools use the same API for file rendering

40 The time issue 1. Automated Acquisition Takes Hours 2. Automated Carving Takes Hours, Sometimes Days 3. Manual analysis Takes Hours, Days, sometimes Weeks 4. Reporting Takes Days

41 Dealing with NEW «CHALLENGES»

42 Disk Encryption

43 Secure Remote Wiping

44 Tails, TOR and the Darknet

45 What NSA thinks of TOR

46 Darknet Forensics?

47 Embedded devices nightmare

48 Smartphone Encryption

49 IP Box : bruteforcing the PIN

50 imessage, WhatsApp etc.

51 Escaping investigation

52 The Answer about Life, Universe, and Everything 42 = GAMA? (...including Forensics!)

53 Introducing «GAMA»

54 Introducing «GAMA»

55

56

57 icloud

58 Subpoenas

59 Territoriality issues Three possible options 1. Cybercrime agreement (EU, USA, ) helps action on third-party country, but only if we are sure the data are physically stored on the agreeing country. Received directly, must be validated by legal prosecutor. 1. Official request : Commission Rogatoire Internationale (CRI). Takes between 6 and 12 months often too late (if log retention < 6 mois). 2. CRI + backup request. Issues with IP timeout validity, and other proof of evidence elements. The cantonal prosecutor asks Federal Justice Department, who asks OFA in Washington D.C. «Instant» data, further legalizing of obtained evidence. Still not an obligation (for GAMA ) to giveaway data, based on cultural and legal differences amonst countries.

60

61

62

63 Cryptowars - Cloud

64 Cryptowars - Mobile

65 GAMA s Forensic Tools TOWARDS NEW FORENSICS

66

67 Rekall Open Source Python Forensics Framework Virtual Machine Live Forensics Filesystem, Memory, Registy, Processes Multi-OS (Linux, Windows, OSX ) Able to investigate on nested VMs!

68 GRR (Google Rapid Response) Open Source, multiplatform Distributed Forensics Management uses Rekall and more. «Cloud-by-design» Can handle large cases and live investigations ( servers!) Scheduling, and much more features.

69 Final slides TO CONCLUDE

70 Let s recap! Legacy Forensics tools are no longer efficient. Evidence is no longer on Disks, and increasingly in RAM. Evidence is now in virtualized U.S. Clouds (GAMA ). New forensics tools are run by GAMA for their own forensic needs, & cyberattack mitigation. Virtualization and RAM forensics Nested VMs forensics GAMA can collaborate or not, to provide evidence.

71 Fearing the future? GAMA Supremacy, even on Law Enforcement (Cryptowars), is a new interesting challenge. That will lead to the evolution of Legal Arsenal in most countries : To force evidence disclosure by GAMA, To insert backdoors & crypto / key escrow. IS THAT WHAT WE, AS CITIZENS OR COMPANIES, REALLY WANT?

72 Thank #ISC2CongressEMEA By Bruno Kerouanton / éé.net