Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Digital Forensics
Digital Forensics 2
Digital Forensics
Forward Defense’s team is composed of highly skilled experts in training, digital investigations, computer forensics, information security and risk assessments. The frontline team is supported by a staff of leading subject matter experts and a proven team of corporate partners.
Forward Defense’s executives are professionals with extensive background in the government and commercial sectors, including:
We have conducted international cyber forensics engagements in many countries, including:• Canada• USA• Mexico• Barbados• Colombia• Trinidad• Brazil• Senegal• UK• Switzerland• Poland
• Germany• Greece• Libya• Kazakhstan• Turkey• Jordan• Egypt• KSA• UAE• Japan• Bangladesh
• Thailand• Malaysia• Indonesia• Philippines• Australia
Digital Forensics 3
CertificationsOur personnel hold numerous industry certifications, including:
Certified Information Systems Professional
(CISSP)
Microsoft Certified System Engineer
(MCSE)
IACIS Certified Forensic Computer Examiner
(CFCE)
Guidance Software Encase Certification
(EnCE)
PublicationsOur team has authored leading textbooks that are used by security
practitioners around the globe.
Digital Forensics 4
PartnersForward Defense has teamed with key partners, and our strong working relationship with these companies helps ensure state-of-the-
art training and services
Digital Forensics 5
Digital Forensics Services
We offer forensics and incident response training:• Windows Computer Forensics• Unix/Linux Forensics• Large Device and Server Forensics• Network Forensics• Mobile Phone Forensics• Apple Macintosh Forensics
In addition to training we also offer:• Forensics Lab Development• CERT Program Development• Incident Response • Direct Forensics Services• Forensics Readiness Audits• Security Gap Analysis
Digital Forensics 6
Computer Forensics
This is the process of collecting and analyzing digital data in a manner that preserves the original data to the greatest extent possible. It is imperative that the results of this process are reproducible and quantifiable.
Static Data - Traditional, offline analysis of mediaMemory - Acquisition and Analysis of Random Access MemoryNetwork - Analysis of remote systemsBinary - Reverse Engineering malware behavior
Digital Forensics 7
Static Data Forensics
Traditional approach“Dead box” analysisUtilize write blockers to protect original evidenceIntegrity verified through hash analysis
• SECURE the media• PROTECT from alteration• IMAGE the media• VERIFY integrity of image• ANALYZE the image
Digital Forensics 8
Memory Forensics
Sophisticated attacks may not write to non-volatile media and therefore it is necessary to seek out information stored in volatile memory.
• Active network connections• Running processes• Clipboard data• Unsaved data• User IDs and passwords
Investigators must be aware that the act of collecting data from a running system’s memory will alter data and must weigh up the trade-off between preserving data and collecting data
Digital Forensics 9
Network Forensics
In network environments, relevant data may be contained on more than one computer system. To add to this complexity some critical servers cannot be shut down to be imaged. Therefore digital forensics teams must log data, connection data, security appliance data and others to seek out clues to additional systems of interest.
• Live Acquisition - Acquiring non-volatile data from running systems• Log Analysis - Using transaction logs to determine systems of interest• Live Analysis - Performing analysis or scans of systems before imaging• Traffic Analysis - Forensic Analysis of data in motion across the network
Digital Forensics 10
Binary Forensics
• Static Analysis of binary files, performed by examining strings, associated libraries or DLL’s, and other indicators of behavior
• Dynamic Analysis of binary files, where the executable code is run in a virtual or sandboxed environment to record network and disk activity to determine behavior
• Reverse engineering of the binary through a debugger and similar software tools
Digital Forensics 11
Binary Forensics Analysis• Internet Activity• Active Files• Deleted Files• Accessed Files• Timelines
• Remote Connections• Malicious Binaries• Attack Vectors• Infection Signatures
ApplicationsThe digital forensics process can be applied to a wide range of problems. Media of all types can be analyzed and the data examined for a variety of applications. These investigations can be split into three sections:
User Investigation• Employee misconduct investigations• Criminal investigations• Mobile phone content• Computer-based communication
Incident Response• Determining scope of a compromise• Developing signatures• Mitigating damage• Detecting attack vector
Data Discovery• Compliance with Court Orders to produce documents• Internal Security Audits and Compliance