F O R E N S I C S

I N C I D E N T R E S P O N S E

Source: www.cybersec.org

INTRODUCTION

• SaskTel Business Solutions• Digital Forensics

• Rick Lee – EnCE, GCFA, CISSP• Royal Canadian Mounted Police – 25 years

• Retired as the NCO i/c Saskatchewan Integrated Technological Crime Unit• C.S.I. Services Corp. – 12 years• SaskTel Corporate Security – 12.5 years• 20 years experience in Digital Forensics• Expert Witness

• Norm Rooney• Royal Canadian Mounted Police – 25 Years

• Retired as the NCO i/c Saskatchewan Integrated Technological Crime Unit• 13 years experience in Digital Forensics• Expert Witness

• Ryan Rupchan – GCFE• Newby

• Partners

AGENDA

• What is DFIR?• Why DFIR? • Digital Forensics• Incident Response• SaskTel Offerings

WHAT IS DIGITAL FORENSICS?

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

DIGITAL FORENSICS VS. COMPUTER FORENSICS

Computer Forensics is the original term for examining computers looking for evidence of wrong doing with the goal of presenting the evidence in a judicial hearing.

With the passing of time and the expanding role of digital devices in our life, the correct term now is Digital Forensics. Now we can locate digital evidence on computers, external storage devices, tablets, smart phones, vehicles and the list just continues to expand.

WHY DIGITAL FORENSICS

• Almost everything we do nowadays leaves some form of a digital trail, as a Digital Forensics Analyst our job is to know:

• What type of information is available, • where it is located and • be able to gather it in a forensically sound manner

• Then our job is to be able to explain what the evidence is saying in a manner that anyone would be able to understand

WHAT IS INCIDENT RESPONSE?

• Confirm whether or not an incident occurred

• Provide rapid detection and containment

• Prevent a disjointed, noncohesive response

• Determine and promote facts and actual information

• Minimize disruption to business and network operations

• Minimize the damage to the compromised organization

• Restore normal operations• Manage the public perception of

the incident• Allow for criminal or civil actions

against the perpetrators• Educate Senior management• Enhance the security posture of

a compromised entity against future incidents

Incident response is a coordinated and structured approach to go from incident detection to resolution. Incident response may include activities that:

TYPES OF INVESTIGATIONS

• Incident Response– Network Breach– Phishing Attack

• Criminal Investigations• Code of Conduct• Theft of Intellectual

Property• Executive Dismissals• e-Discovery

• Theft of funds, including bank access, credit card and wire fraud

• Privacy Breach• HR – Employee

Dismissal• Smart Phone Forensics• Computer Forensics• Malware Analysis

COMPUTER INVOLVEMENT IN A CRIME

• There are basically three ways a computer becomes involved in an investigation:

• The Computer as a Target:• In this case the computer is the target of the crime.• An example would be an intrusion investigation.

• The Computer as an Instrument in a Crime:• In this case the computer is being used to assist in the commission

of a crime.• An example would be accessing or distributing child pornography

• The Computer holds evidence of a Traditional Crime• This is a case where there may be incriminating evidence of a crime.• An example of this may be email between two subjects planning a

crime

SIZE DOES MATTER

• Size is increasing and cost is decreasing• Requires a change in mind set as to what we are going to collect

Source: www.mkomo.com

WHAT IS A TERABYTE??? (OUTSIDE THE BOX)

A Terabyte is approximately 2,084 pallets each containing 400 reams of 500 sheets of

paper.

which would take over 50 Semi-trucks to transport

ADVANCED PERSISTENT THREAT (APT)

• APT usually targets organizations and/or nations for business or political motives.

• APT processes require a high degree of covertness over a long period of time. • The APT successfully compromises any target it desires*• Conventional defenses are ineffective*• The "advanced" process signifies sophisticated techniques using malware to

exploit vulnerabilities in systems. • The "persistent" process suggests that an external command and

control system is continuously monitoring and extracting data from a specific target.

• The "threat" process indicates human involvement in orchestrating the attack.

An APT is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity:

* Source: Mandiant M-Trends – the advanced persistent threat (2010)

ADVANCED PERSISTENT THREAT - CHINA

• Early 2010 China Hacks the following: – Google, Adobe, Yahoo,

Symantec, Northrop Grumman, Dow Chemical, Juniper Networks, Rackspace

• Late 2010 China targets the following:– Government of Canada

Finance Dept, Toronto Law Offices, Saskatchewan Potash Companies, Government of Saskatchewan

Source: www.mandiant.com

M-TRENDS 2019 - CHINA

CROWDSTRIKE – BREAKOUT TIME

Source: CrowdStrike 2019 Global Threat Report

DIGITAL FORENSICS

• Digital Forensic Process

• New Trends in Digital Forensics

• Where’s the Evidence?

• The Tools We Use

THE DIGITAL FORENSIC PROCESS

Data Collection

Host Based Data Including Live DataForensic Duplications

Network Based Data

Other Data

InformationReview Relevant

Information

Data Processing

InformationReview

Leads

Minimize

LEGAL AUTHORITY TO EXAMINE EVIDENCE

• Before you start your investigation you need to ensure you have the legal authority to examine the evidence.

– Law Enforcement: This means either having a search warrant or the owner’s informed consent.

• Informed consent means knowing the implications of having the evidence examined and the possibility of being charged with a criminal offense.

– Corporate: This can be more difficult to establish as you need to consider the following:

• Is the item the property of the corporation?• Are their any expectations of privacy on the part of the user’s of the

system?– Is there a login banner indicating no expectation of privacy on the

part of the user which needs to be acknowledged prior to system usage?

DIGITAL FORENSIC PROCESS

• Evidence Collection– Chain of Custody– Forensic Image

• Evidence Examination– Identifying evidence

• Evidence Analysis– Analysis of the identified evidence

• Evidence Presentation– Court / Hearing– Client

Evidence Collection

Evidence Examination

Evidence Analysis

Evidence Presentation

NEW TRENDS IN DIGITAL FORENSICS

• Memory Analysis• Distributed Processing• Boot VM from image file from within Forensic Tool• Facial Recognition & Skin Tone image analysis• Character Recognition from Image Files• Enterprise Forensic Tools• Improved Tool Sets

• Open Source and Commercial• Vehicle Forensics• Mobile and Wearable Forensics

WHERE’S THE EVIDENCE?

• Computer Hard Drive (Old Standard)• Virtual machines• Alternate Data Streams• Steganography

• Memory (Computer’s)• External Storage (USB, Wifi, NAS, etc.)• Network Appliances• Cloud• Smart Phones

MEMORY CONTENT INCLUDES

• Internet History• Pictures• Chat• Email• MFT• Executables• Memory Resident Code• Unencrypted Data• Encryption Keys• Passwords

• OS Artifacts– Running Processes– Network Configuration

and Connections– IP Addresses– Log Files– Open Ports, Sockets and

Files

• And More– Network PCAP Captures

CELL PHONE FORENSICS

• Cellebrite– Device Info– Locations– Messages– Photographs– Call Log

– Calendar Entries– Contacts– Installed Apps– Activity Analytics– And More

Cell phones are ubiquitous and are an invaluable source of evidence which contains the user’s life history. Most of the Information is only available if you have access to the phone.

ACQUISITION OF THE EVIDENCE

• Collection of the evidence• Goal is to interact with the evidence as little as possible• 1980’s / 90’s law enforcement was trained to pull the plug from

the back of the computer when you arrived on the scene• Is there reason to believe the drive may be encrypted• Realization that volatile information was being lost changed

the process to doing a live response on the system then pull the plug

• Imaging of the evidence should be conducted in your controlled lab space

SOME OF OUR TOOLS

• EnCase Enterprise• Intella• Maltego 4• Internet Evidence Finder• Cellebrite UFED4PC• Forensic Explorer• Cyber Triage

OTHER FORENSIC TOOLS

• Forensic Suites– Axiom

• Windows Forensic Tools– F-Response– Passware– Log-MD

• Malware Analysis– Joe Sandbox

• Open Source Tools– Mandiant Highlighter– Mandiant Redline– Volatility– Rekall– RegRipper– 4n6Time

• Hardware– Digital Intelligence

• Server, Towers, Laptops• Write Blockers / Imaging

– Deepspar Disk Imager

INCIDENT RESPONSE OBJECTIVES

• The questions you need to answer:• Was this an actual attack?• Was the attack successful?• How did they get in?• What other assets were also compromised?• How are they able to persist in your network?• What did they do once they got in?• What needs to be contained, investigated and

remediated?

THE BREACH INVESTIGATION• Once you have determined there has

been a breach STOP looking for more information and bring in your forensic investigator / team.

• Create a forensic image of any compromised systems

• Retain all logs which may prove useful to your investigation

• Make notes of all pertinent information to the investigation and any actions taken on the compromised systems prior to bringing in your forensic investigator.

• Questions to answer:– Who, what, where, when, why and how

• Think about your communication plan.• Create a timeline using the

compromised systems, logs and any other available information

ATTACK LIFECYCLE

• Initial Compromise• Establish Foothold• Escalate Privileges• Internal

Reconnaissance

• Move Laterally• Maintain Presence• Complete Mission

Source: Incident Response & Computer Forensics, Third Edition

PHISHING ATTACKS - IT ONLY TAKES ONE

Humans are the most common cause of network breaches

INCIDENT DETECTION

1. IDS system detects remote attack2. Numerous failed logon attempts3. Logins into dormant or default accounts4. Activity occurred during non-working hours5. Presence of new accounts not created by the sysadmin6. Unfamiliar files or executable programs7. Unexplained elevation of privileges8. Altered pages on the web server9. Gaps or erasure of log files10. Slower system performance11. The system crashed12. Receive an extortion email13. Notified by upstream or downstream sites14. Child Pornography

IDS

End User

Help Desk

SysAdmins

Security

HumanResources

Mandiant’s M-Trends 2015 How Compromises are Being Detected: 31% by Internal Resources and 69% by an External Entity.

INCIDENT RESPONSE PROCESS

Preparation

Identification & Scoping

Eradication & Remediation

Lessons Learned & Follow Up

Containment & Intelligence Gathering

Recovery

P

I

C

E

R

L

PIPEDA - BREACH NOTIFICATION

• the circumstances of the breach and, if known, the cause;

• the date or period during which the breach occurred;

• the personal information that is the subject of the breach;

• an estimate of the number of individuals at a real risk of significant harm;

• the steps that the organization has taken to reduce risk or mitigate harm to individuals;

• the steps that the organization has taken or intends to take to notify affected individuals; and

• the name and contact information of a person who can answer, on behalf of the organization, the Commissioner's questions about the breach.

A report to the Commissioner must be made in writing and contain the following information:

PIPEDA (Personal Information Protection and Electronic Documents Act)

BEWARE THE “C.S.I. EFFECT”

• Managing Expectations– Contrary to popular belief (eg. CSI: Cyber) these investigations can’t be

solved in hours and you won’t typically find all of the evidence.

A WORD ABOUT LEGAL

• It is worth considering having any investigations, whether you do it internally or outsource the work, run through your legal department.

• This gives you the advantage of client / solicitor privilege.

• Your work becomes work product of your legal department and is not discoverable in a judicial hearing.

JOE SANDBOX - VISUALS

DIGITAL FORENSICS SERVICE OFFERINGS

Digital ForensicsInvestigationsEnvironment PreparationDigital Evidence

Incident ResponseBefore a breachDuring a breachAfter a breach (Executive briefings)

E-DiscoveryIdentificationPreservationCollectionProcessingReviewAnalysisProductionPresentation

Training2 x 3 day classes availableIncident Response TrainingOpen Source Intelligence

Awareness PresentationsDigital InvestigationsIncident ResponseSecurity

SASKTEL: DIGITAL FORENSICS

• Investigations• Covert Investigations• Online Investigations• Criminal Investigations

• Preparing environment for investigations

• Log Collection• Baseline Your Crown Jewels & Desktop Environment

• Installation of Agents

• Digital Evidence• Systems• System Memory• Smartphones

SASKTEL: INCIDENT RESPONSE

• Assist your business before a breach occurs:• Establish an Incident Response Plan

• Policies & Procedures• Review you Incident Response Plan• Table Top Exercises to test your Incident Response Plan• Incident Response Training

• Assist your business when the breach occurs:• Locate, Gather & Analyze the Evidence• Malware Analysis

• Assist your business after the breach has been remediated• Report findings to Executive

SASKTEL: TRAINING

• Incident Response Training• 3 Day Class

• Day 1 – Primarily lecture• CSIRT Structure• Incident Response

Building Blocks• Days 2 & 3 – Hands on

Windows• Live Response Kits• Windows Analysis• Practical Exercise

• Open Source Intelligence (OSINT)• 3 Day Class

• Going Beyond Google Searching

SASKTEL: ADVANTAGE

• Confidentiality• Documented processes

• NDA, Contract, Statement of Work, Chain of Custody

• Digital Forensic Analysts have government security clearances, extensive knowledge, and years of experience

• Professional quality lab space• Physically secure Digital Forensic office• Industry-standard Digital Forensic hardware & software• All work is completed locally

PROCESS TO ENGAGE SASKTEL’S DIGITAL FORENSICS GROUP

• Once we receive a call for work, we will come and meet with you and after signing a Non-Disclosure Agreement:

• Discuss your investigation / requirements• Develop a plan to address the issues discussed• SaskTel will then prepare a Statement of Work (SOW) and once

signed off by both parties the work begins.• SaskTel will keep the individuals identified in the SOW updated on the

progress of the investigation and the results of the analysis until the investigation is completed.

• SaskTel will prepare and present a report on the results of our analysis

• SaskTel Analyst will be available as required for any judicial hearings

“The Internet crime problem is going to get worse. How do I

know? Simple. There is always a percentage of the

population who are up to no good. As the entire population

moves to the Internet, so will the criminals.”

-Scott CharneyDepartment of Justice, Computer Crimes and Intellectual Property Section (USA)

Let’s start a conversation.Rick Lee | 1-844-691-1646 | DFIR@sasktel.comsasktel.com/digitalforensics