View
3
Download
0
Category
Preview:
Citation preview
Digital Forensics, from floppies to the Cloud
Can Darwin win the game of digital evolution?
@kerouanton #ISC2CongressEMEA
SOME BASICS Digital Sherlock in a nutshell
Types of digital forensics
Investigations – Criminal – Police
Incident Management – Breach analysis
Data recovery – Legal archives
Typical forensic workflow
SEIZING EVIDENCE From theory to reality
The Theory
The Reality
Diversity
Home-made “NAS” for P2P sharing
Physical size vs Logical Size
EVIDENCE COLLECTION Inventory complexity
Extracting physical media
Apple annoyances…
A typical issue…
Moore’s Law, best ennemy!
Major issue with disk size :
- 1.2 million of porn files
- 18 Tb of disks
• Several months analysis…
• Very complex case…
Can quickly become unmanageable.
Media gathering Issues
• Physical Size Micro-SD cards
• Logical Size Terabytes
• Quantity low storage price
• Diversity 10s of formats
Another typical issue
CELL PHONES Cellphone investigation ? Priceless !
The cables nightmare
Very expensive kits...
FIELD KITS Police Loves Hard Cases
DNA Field Kit
Drone Field Kit
GSM Relay Field Kit
Cell-phones Field Kit
Disk imaging Field Kits
All-In-One Field Kit
Seriously, Who can afford this?
IN THE LAB Mindboggling Parallelization
Evidence storage
FILE CARVING
So many filesystems
800 file formats, and more…
Most forensics tools use the same API for file rendering…
The time issue 1. Automated Acquisition Takes Hours…
2. Automated Carving Takes Hours, Sometimes Days…
3. Manual analysis Takes Hours, Days, sometimes Weeks
4. Reporting Takes Days
NEW « CHALLENGES » Dealing with
Disk Encryption
Secure Remote Wiping
Tails, TOR and the Darknet
What NSA thinks of TOR
Darknet Forensics ?
Embedded devices nightmare
Smartphone Encryption
IP Box : bruteforcing the PIN
iMessage, WhatsApp etc.
Escaping investigation
42 = GAMA® ? The Answer about Life, Universe, and Everything (...including Forensics!)
Introducing « GAMA® »
Introducing « GAMA® »
iCloud
Subpoenas
Territoriality issues
Three possible options
1. Cybercrime agreement (EU, USA, …) helps action on third-party country, but only if we are sure the data are physically stored on the agreeing country. Received directly, must be validated by legal prosecutor.
1. Official request : Commission Rogatoire Internationale (CRI). Takes between 6 and 12 months often too late (if log retention < 6 mois).
2. CRI + backup request. Issues with IP timeout validity, and other proof of evidence elements.
The cantonal prosecutor asks Federal Justice Department,
who asks OFA in Washington D.C.
« Instant » data, further legalizing of obtained evidence.
Still not an obligation (for GAMA™) to giveaway data,
based on cultural and legal differences amonst countries.
Cryptowars - Cloud
Cryptowars - Mobile
TOWARDS NEW FORENSICS… GAMA®’s Forensic Tools
Rekall
Open Source Python Forensics Framework
Virtual Machine Live Forensics
• Filesystem, Memory, Registy, Processes…
• Multi-OS (Linux, Windows, OSX…)
• Able to investigate on nested VMs !
www.rekall-forensic.com
GRR (Google Rapid Response)
Open Source, multiplatform Distributed Forensics Management uses Rekall and more. « Cloud-by-design » Can handle large cases and live investigations (10’000 servers !) Scheduling, and much more features.
TO CONCLUDE Final slides
Let’s recap !
• Legacy Forensics tools are no longer efficient.
• Evidence is no longer on Disks, and increasingly in RAM.
• Evidence is now in virtualized U.S. Clouds (GAMA®).
• New forensics tools are run by GAMA® for their own forensic needs, & cyberattack mitigation. – Virtualization and RAM forensics
– Nested VMs forensics
• GAMA® can collaborate… or not, to provide evidence.
Fearing the future ?
• GAMA® Supremacy, even on Law Enforcement (Cryptowars), is a new interesting challenge.
• That will lead to the evolution of Legal Arsenal in most countries : – To force evidence disclosure by GAMA®, – To insert backdoors & crypto / key escrow.
IS THAT WHAT WE, AS CITIZENS
OR COMPANIES, REALLY WANT ?
By Bruno Kerouanton Twitter: @kerouanton / éé.net
Thank You !
@kerouanton #ISC2CongressEMEA
Recommended