Forensics for Cybersecurity

Pete Dedes, CCE, GCFA, GCIH

WHO AM I?

– Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security• Education

– Bachelor’s of Science – Computer Science, University of Tennessee

• Certifications:– CCE – Certified Computer Examiner– GCFA – GIAC Certified Forensic Analyst– GCIH – GIAC Certified Incident Handler– Licensed Private Investigator in State of Tennessee

• Digital Forensics– Intellectual Property Theft– Domestic Cases– Unlawful Termination– Computer Usage Policies– Electronic Discovery– Mobile Device Forensics

• Security Analyst / Incident Handler– Network Vulnerability Assessments and Penetration Tests– Sensitive Data Discovery– Security Assessments– Incident Response

PRIMER - INCIDENT RESPONSE

– Preparation – plan the IR capability, but also prevent incidences by ensuring a secure system, applications, and networks.

– Identification and Scoping – security team discovers an incident, or is notified by a 3rd party (LE or SOC). Proper identification of ALL compromised systems is important.

– Containment / Intelligence Gathering

– Eradication/Remediation

– Recovery

– Follow Up/Lessons Learned

WHAT IS EVIDENCE?

• Anything that can be collected from the systems under investigation.

• Anything that can be used to prove or disprove a fact.

WHAT IS FORENSICS?

• Recovery and investigation of material found in digital devices:

– Criminal/Civil Cases

– Network Forensics

– Mobile Forensics

WHY BOTHER WITH INTELLIGENCE GATHERING?

• Reasons why we collect and analyze evidence:

– Prepare to prevent future breaches (plug the holes).

– Determine what the target was.

– Assess what valuable information was exposed/exfiltrated.

– Fulfill an obligation to disclose (Breach Notification Policy).

EVIDENCE COLLECTION

The part of the intelligence gathering stage in incident response:

• Attackers try to cover their tracks to make discovery difficult so they can continue operating undetected. They also want to keep their methods secret to prevent future defensive measures.

• When an incident is discovered, we’re compelled to get things back to normal. This risks destroying valuable information about the attack in the process. To prevent future attacks of the same kind, we need to understand as much as we can about the current one.

• We need to take the time and effort to preserve computers, logs of all kinds, computer memory if possible, user information and any other pertinent information before the evidence is destroyed.

EVIDENCE

– Types

• Hard drives, memory, removable media.

• Process information, network connections, log files and user information.

– Methods

• Forensically sound collections. Avoid data loss. Collect information in the correct order.

• Store an original copy of evidence and only work on copies of the original.

IF LITIGATION COULD RESULT…

• Start a Chain of Custody form

• Generate, verify and store Hash Values (MD5, SHA1, etc)

• Create Forensic Images whenever possible

• Document everything about the collection. You will need to ensure integrity. How evidence was obtained and the process of collection.

• Store originals and copies in a access-controlled area.

STATIC DATA VS VOLATILE DATA

• Collecting evidence in the correct order is key.

• Some systems must be collected live if no other options exist, or if it is important to capture the state of a system (current processes).

• Shutting down a system can destroy valuable evidence (temp files removed, processes stopped, memory cleared).

COLLECTING THE EVIDENCE

• Hard Drive Images

• Memory Dump

• Copies of Removable Media

• Mobile Devices

• Network Log Files

• Virtual Machines

TOOLS FOR COLLECTING EVIDENCE

• Write-Blockers – Tableau, Thumbscrew, HardCopy, DiskJocky, Firefly

• Software – FTK Imager, Sumuri, Linux dd commands

• F-Response – Remote Acquisition

• UFED, Lantern – Mobile Device

• Wireshark – Live Network Capture, Offline Analysis

Reference: www.forensicswiki.org

STATIC ACQUISITION

LIVE ACQUISITION

OSX FROM BOOT DISK

MEMORY ANALYSIS

REMOVABLE DEVICES

PHONE ACQUISITIONS

SMART PHONE

SMART PHONE GEO-ANALYSIS

VIRTUAL MACHINE EXPORT

NETWORK LOGS

WHAT IS DONE WITH THE EVIDENCE?

• Copies given to a security company for forensic analysis

• In-house analysis if so equipped

• Looking for:

– Root source of breach

– Damages incurred

– Spread of breach throughout the network

CONCLUSION

• Acquire the tools needed for your environment.

• Get familiar with the tools.

• Know what network devices to pull logs from.

QUESTIONS?

• Thank you for your time today.

• I would be happy to answer any questions