Digital Forensics and Incident Response in

Introduction

Megan Roddie◦ Cyber Threat Research at IBM◦ CFO of Mental Health Hackers◦ M.S. in Digital Forensics◦ M.S. in Information Security

Engineering (est. 2021)◦ GCFA, GCIH◦ @megan_roddie

INTRODUCTION TO G SUITE1

DON’T GET COMPROMISED2

Don’t Wait. Secure it.

◦ First Step: Don’t get compromised!◦ Many steps to be taken to prevent

a compromise◦ 2FA, 2FA, 2FA

https://blog.reconinfosec.com/securing-g-suite/

G SUITE DFIR VS. TRADITIONAL DFIR3

Map

ping

G S

uite

Att

acks

to th

e Cy

ber K

ill Ch

ain

https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite

“Traditional” DFIR

◦ Malware◦ Phishing◦ Denial of Service◦ Web attacks

(XSS, SQL Inject)

◦ Phishing◦ Information Leak◦ Account Abuse

G Suite DFIR

Incident types

“Traditional” DFIR

◦ Variety of access methods

◦ Vulnerability exploitation

◦ Publicly accessible network resources

◦ Human threat

◦ Smaller attack surface

◦ Social Engineering

◦ Phishing email◦ Brute force

G Suite DFIR

Attack vector

“Traditional” DFIR

◦ Multiple devices / device types (computers vs. servers vs. network devices)

◦ Core configuration settings might be centralized; more system independent settings

◦ Contained to single platform

◦ Core configuration settings are centralized

G Suite DFIR

Environment

“Traditional” DFIR

◦ Large attack surface

◦ Diversity of incident types

◦ Variety of sources of information

◦ Limited attack surface

◦ Specific incident types

◦ Data is centralized

G Suite DFIR

Overview

CASE SCENARIO4

The Scenario

A company’s client list seems to have leaked to an outside entity.

They suspect that the list of customers might have been found via G Suite (files, emails, contacts) but do not know of a compromise.

Cyber Experts, LLC. is contracted to find out if a compromise exists.

What we know

◦ There might be a compromise

◦ Nothing

What we need to find out

Scenario Start

What’s been done

◦ All the things

Identify suspicious activity

◦ Login Audit Logs

Identify suspicious activity

◦ whois 43.241.236.23◦ whois 52.129.23.26◦ whois 64.18.221.42◦ ...

https://blog.ecapuano.com/auditing-gsuite-login-activity/

https://blog.reconinfosec.com/auditing-gsuite-login-activity/

Containment

◦ Disable account

◦ Reset password

◦ Reset all login sessions

What we know

◦ We know whose account was compromised

◦ We know when the account was compromised

◦ No other accounts indicate same pattern of abnormal activity

◦ The known compromised account has been disabled and all active sessions have been reset

What we need to find out

How are we looking now?

What’s been done

◦ How did it happen?

◦ What was the account used for?

◦ Is there any persistence in place?

How did it happen?

Brute force?

No

So… Phishing?

What was the account used for?

ReviewAll

TheLogs

Is there any persistence in place?

◦ App passwords

◦ Authorized API

◦ Add 2FA device

◦ Email forwarding

◦ Email filters

Moral of the story...

FUTURE RESEARCH5

Incident Response (IR)

◦ Automation via G Suite API◦ Started but not my area of

expertise▫ Reach out if you want to collaborate

Digital Forensics (DF)

◦ File Metadata Analysis◦ Recreate SANS Windows Time

Rules for Google Drive

Questions?

Thank you!