Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

Transcription

1 Forensics for Cybersecurity Pete Dedes, CCE, GCFA, GCIH

2 WHO AM I? Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security Education Bachelor s of Science Computer Science, University of Tennessee Certifications: CCE Certified Computer Examiner GCFA GIAC Certified Forensic Analyst GCIH GIAC Certified Incident Handler Licensed Private Investigator in State of Tennessee Digital Forensics Intellectual Property Theft Domestic Cases Unlawful Termination Computer Usage Policies Electronic Discovery Mobile Device Forensics Security Analyst / Incident Handler Network Vulnerability Assessments and Penetration Tests Sensitive Data Discovery Security Assessments Incident Response

3 PRIMER - INCIDENT RESPONSE Preparation plan the IR capability, but also prevent incidences by ensuring a secure system, applications, and networks. Identification and Scoping security team discovers an incident, or is notified by a 3 rd party (LE or SOC). Proper identification of ALL compromised systems is important. Containment / Intelligence Gathering Eradication/Remediation Recovery Follow Up/Lessons Learned

4 WHAT IS EVIDENCE? Anything that can be collected from the systems under investigation. Anything that can be used to prove or disprove a fact.

5 WHAT IS FORENSICS? Recovery and investigation of material found in digital devices: Criminal/Civil Cases Network Forensics Mobile Forensics

6 WHY BOTHER WITH INTELLIGENCE GATHERING? Reasons why we collect and analyze evidence: Prepare to prevent future breaches (plug the holes). Determine what the target was. Assess what valuable information was exposed/exfiltrated. Fulfill an obligation to disclose (Breach Notification Policy).

7 EVIDENCE COLLECTION The part of the intelligence gathering stage in incident response: Attackers try to cover their tracks to make discovery difficult so they can continue operating undetected. They also want to keep their methods secret to prevent future defensive measures. When an incident is discovered, we re compelled to get things back to normal. This risks destroying valuable information about the attack in the process. To prevent future attacks of the same kind, we need to understand as much as we can about the current one. We need to take the time and effort to preserve computers, logs of all kinds, computer memory if possible, user information and any other pertinent information before the evidence is destroyed.

8 EVIDENCE Types Hard drives, memory, removable media. Process information, network connections, log files and user information. Methods Forensically sound collections. Avoid data loss. Collect information in the correct order. Store an original copy of evidence and only work on copies of the original.

9 IF LITIGATION COULD RESULT Start a Chain of Custody form Generate, verify and store Hash Values (MD5, SHA1, etc) Create Forensic Images whenever possible Document everything about the collection. You will need to ensure integrity. How evidence was obtained and the process of collection. Store originals and copies in a access-controlled area.

10

11 STATIC DATA VS VOLATILE DATA Collecting evidence in the correct order is key. Some systems must be collected live if no other options exist, or if it is important to capture the state of a system (current processes). Shutting down a system can destroy valuable evidence (temp files removed, processes stopped, memory cleared).

12 COLLECTING THE EVIDENCE Hard Drive Images Memory Dump Copies of Removable Media Mobile Devices Network Log Files Virtual Machines

13 TOOLS FOR COLLECTING EVIDENCE Write-Blockers Tableau, Thumbscrew, HardCopy, DiskJocky, Firefly Software FTK Imager, Sumuri, Linux dd commands F-Response Remote Acquisition UFED, Lantern Mobile Device Wireshark Live Network Capture, Offline Analysis Reference:

14 STATIC ACQUISITION

15 LIVE ACQUISITION

16 OSX FROM BOOT DISK

17 MEMORY ANALYSIS

18 REMOVABLE DEVICES

19 PHONE ACQUISITIONS

20 SMART PHONE

21 SMART PHONE GEO-ANALYSIS

22 VIRTUAL MACHINE EXPORT

23 NETWORK LOGS

24 WHAT IS DONE WITH THE EVIDENCE? Copies given to a security company for forensic analysis In-house analysis if so equipped Looking for: Root source of breach Damages incurred Spread of breach throughout the network

25 CONCLUSION Acquire the tools needed for your environment. Get familiar with the tools. Know what network devices to pull logs from.

26 QUESTIONS? Thank you for your time today. I would be happy to answer any questions