Operations and Incident Response Flashcards
Determine the route a packet takes to a destination
- Map the entire path
Takes advantage of ICMP Time to Live Exceeded error message
- The time in TTL refers to hops, not seconds or minutes
- TTL=1 is the first router, TTL=2 is the second router, etc.
Not all devices will reply with ICMP Time Exceeded messages
- Some firewalls filter ICMP
- ICMP is low-priority for many devices
traceroute\tracert
Lookup information from DNS servers
- Canonical names, IP addresses, cache timers, etc.
Both windows and POSIX-based
- Lookup names and IP addresses
- Deprecated
nslookup
Lookup information from DNS servers
- Canonical names, IP addresses, cache timers, etc.
More advanced domain information
dig
Most of your troubleshooting starts with your IP address
- Ping your local router/gateway
Determine TCP/IP and network adapter information
- And some additional IP details
ipconfig - Windows
ifconfig - Linux
Network mapper
- Find and learn more about network devices
Port scan
- Find devices and identify open ports
Operating system scan
- Discover the OS without logging in to a device
Service scan
- What service is available on a device?
- Name, version, details
Additional scripts
- Extended capabilities, vulnerability scans
Nmap
Test reachability
- Determine round-trip home
- Uses Internet Control Message Protocol (ICMP)
One your primary primary troubleshooting tools
ping
Combine ping and traceroute
- Included with Windows NT and later
First phase runs a traceroute
- Build a map
Second phase
- Measure route trip time and packet loss at each hop
pathping
TCP/IP packet assembler/analyzer
- A ping that can send almost anything
Ping a device
- ICMP, TCP, UDP
Send crafted frames
- Modify all IP, TCP, UDP, and ICMP values
A powerful tool
- It’s easy to accidentally flood and DoS
hping
Network statistics
- Many different operating systems
netstat
Show all active connections
netstat -a
Show binaries
netstat -b
Do not resolve names
netstat -n
“Read” or “write” to the network
- Open a port and send or receive some traffic
Many different functions
- Listen on a port number
- Transfer data
- Scan ports and send data to a port
Become a backdoor
- Run a shell from a remote device
Other alternatives and OSes - Ncat
netcat
Search a network for IP addresses
- Locate active devices
- Avoid doing work on an IP address that isn’t there
Many different techniques
- ARP (if on the local subnet)
- ICMP requests (ping)
- TCP ACK
- ICMP timestamp requests
A response means more recon can be done
- Keep gathering information - Nmap, hping, etc
IP scanners
Determine a MAC address based on an IP address
- You need the hardware address to communicate
Address Resolution Protocol
View local ARP table
arp -a
View the device’s routing table
- Find out which way the packets will go
route print - Windows
netstat -r - Linux and MAC
Client URL
- Retrieve data using a URL
- Uniform Resource Locator
- Web pages, FTP, emails, databases, etc.
Grab the raw data
- Search
- Parse
- Automate
curl
Gather OSINT
- Open-Source Intelligence
Scrape Information from Google or Bind
- Find associated IP addresses
List of people from Linkedin
- Names and titles
Find PGP keys by email domain
- A list of email contacts
DNS brute force
- Find those unknown hosts; vpn, chat, mail, partner, etc.
theHarvester
Combine many recon tools into a single framework
- densenum, metasploit, nmap, theHarvester, and much more
Both non-intrusive and very intrusive scanning options
- You choose the volume
Another tool that can cause problems
- Brute force, server scanning, etc
- Make sure you know what you’re doing
sn1per
Run port scans from a different host
- Port scan proxy
Many different services
- Choose the option for scan origination
- Your IP is hidden as the scan source
scanless
Enumerate DNS information
- Find host names
View host information from DNS servers
- Many services and hosts are listed in DND
Find host names in Google
- More hosts can probably be found in the index
dnsenum
Industry leader in vulnerability scanning
- Extensive support
- Free and commercial options
Identify known vulnerabilities
- Find systems before they can be exploited
Extensive reporting
- A checklist of issues
- Filter out the false positives
Nessus
A sandbox for malware
- Test a file in a safe environment
A virtualized environment
- Windows, Linux, macOS, Android
Track and trace
- API calls, network traffic, memory analysis
- Traffic captures
- Screenshots
Cuckoo
View the first part of a file
Use -n to specify the number of lines
head
View the last part of a file
Use -n tp specify the number of lines
tail
Concatenate
- Link together in a series
Copy a file/files to another file
cat
Find text in a file
- Search through many files at a time
grep
Change mode of a file system object
- r=read, w=write, x=execute
- Can also use octal notations
- Set for the file owner (u), the group (g), others (o), or all (a)
chmod
User = read, write, and execute
Group = read only
Others = read only
chmod 744
Add entries to the system log
- syslog
Adding to the local syslog file
Useful for including information in a local or remote syslog file
- Include ad part of an automation script
- Log an important event
logger
Encrypted console communication
TCP port 22
Looks and acts the same as Telnet
Secure Shell (SSH)
Command line for system administrators
- ps1 file extension
- Included with Windows 8/8.1 and 10
Extend command-line functions
- Uses cmdlets (command-lets)
- Standalone executables
Automate and integrate
- System administration
- Active domain registration
Windows PowerShell
General-purpose scripting language
- .py file extension
Popular in many technologies
- Broad appeal and support
Python
A toolkit and crypto library for SSL/TLS
- Build certificates, manage SSL/TLS communication
Create X.509 certificates
- Manage certificate signing requests (CSRs) and certificate revocation lists (CRLs)
Message digests
- Support for many hashing protocols
Encryption and Decryption
- SSL/TLS for services
OpenSSL
A suite of packet replay utilities
- Replay and edit packet captures
- Open source
Test security devices
- Check IPS signatures and firewall rules
Test and tune IP Flow/Netflow devices
- Send hundreds of thousands of traffic flows per second
Tcpreplay
Capture packets from the command line
- Display packets on the screen
- Write packets to a file
tcpdump
Graphical packet analyzer
- Get into the details
Gathers frames on the network
- Or in the air
Sometimes built into the device
- View traffic patterns
- Identify unknown traffic
- Verify packet filtering and security controls
Extensive decodes
- View the application traffic
Wireshark
Create a bit-by-bit copy of a drive
- Used by many forensics tools
Create a disk image
- dd if=/dev/sda of =/tmp/sda-image.img
Restore from an image
- dd if=/tmp/sda-image.img of=/dev/sda
dd
Copy information in system memory to the standard output stream
- Everything that happens is in memory
- Many third-part tools can read a memory dump
Copy to another host across the network
- Use netcat, stunnel, openssl, etc.
memdump
A universal hexadecimal editor for Windows OS
Edit disks, files, RAM
- Includes data recovery features
Disk cloning
- Drive replication
Secure wipe
- Hard drive cleaning
Much more
- A full-featured forensics tools
Winhex
AccessData forensic drive imaging tool
- Includes file utilities and read-only image mounting
- Windows executable
Widely supported in many forensics tools
- Third-party analysis
Support for many different file systems and full disk encryption methods
- Investigator still needs the password
Can also import other image formats
- dd, Ghost, Expert Witness, etc.
FTK Imager
Perform digital forensics of hard drives, smartphones
- View and recover data from storage devices
Extract many different data types
- Downloaded files
- Browser history and cache
- Email messages
- Databases
- Much more
Autopsy
A pre-built toolkit for exploitations
- Build custom attacks
- Add more tools as vulnerabilities are found
- Increasingly powerful utilities
Metasploit
- Attack known vulnerabilities
The Social-Engineer Toolkit (SET)
- Spear phishing,, infectious media generator
Exploitation frameworks
The keys to the kingdom
- Find the passwords
Online cracking
- Try username/password combinations
Offline cracking
- Brute force a hash file
Limitations
- Password complexity/strength (entropy)
- Hashing method and CPU power
- Graphics processors are useful hardware tools
Password crackers
Completely remove data
- No usable information remains
Many different use cases
- Clean a hard drive for future use
- Permanently delete a single file
A one-way trip
- Once it’s gone, it’s really gone
- No recovery with forensics tools
Data sanitization
User clicks an email attachment and execute malware
- Malware then communicates with external servers
DDos
- Botnet attack
Confidential information is stolen
- Thief wants money or it goes public
User installs peer-to-peer software and allows external access to internal servers
Security incidents
Specialized group, trained and tested
Incident response team
Corporate support
IT security management
Intricate knowledge of compliance rules
Compliance officers
Your team in the trenches
Technical staff
National Institute of Standards and Technology
- Computer security incident
The incident response lifecycle
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity
NIST SP800-61
Communication methods
- Phones and contact information
Incident handling hardware and software
- Laptops, removable media, forensic software, digital cameras, etc
Incident analysis resources
- Documentation, network diagrams, baselines, critical file hash values
Incident mitigation software
- Clean OS and application images
Policies needed for incident handling
- Everyone knows what to do
Preparation (Step 1 of Incident Response lifecycle)
Many different sources
- Different levels of detail, different levels of perception
A large amount of “volume”
- Attacks are incoming all the time
- How do you identify the legitimate threats?
Incidents are almost always complex
- Extensive knowledge needed
Detection (Step 2 of Incident Response lifecycle)
An incident might occur in the future
- This is your heads-up
Web server log
- Vulnerability scanner in use
Exploit announcement
- Monthly Microsoft patch release
- Adobe Flash update
Direct threats
- A hacking group doesn’t like you
incident precursors (Step 2 of Incident Response lifecycle)
An attack is underway
- Or an exploit is successful
Buffer overflow attempt
- Identified by an intrusion detection/prevention system
Anti-virus software identifies malware
- Deletes from OS and notifies administrator
Host-based monitor detects a configuration change
- Constantly monitors system files
Network traffic flows deviate from the norm
- Requires constant monitoring
Incident indicators (Step 2 of Incident Response lifecycle)
Generally a bad idea to let things run their course
- An incident can spread quickly
- It’s your fault at that point
Sandboxes
- An isolated operating system
- Run malware and analyze the results
- Clean out the sandbox when done
Can sometimes be problematic
- Malware or infections can monitor connectivity
- When connectivity is lost, everything could be deleted/encrypted/damaged
Isolation and containment (Step 3 of Incident Response lifecycle)
Get things back to normal
- Remove the bad, keep the good
Eradicate the bug
- Remove malware
- Disable breached user accounts
- Fix vulnerabilities
Recover the system
- Restore from backups
- Rebuild from scratch
- Replace compromised files
- Tighten down the perimeter
Recover (Step 3 of Incident Response lifecycle)
A phased approach
- It’s difficult to fix everything at once
Recovery may take months
- Large-scale incidents require a large amount of work
The plan should be efficient
- Start with quick, high-value security changes
- Patches, firewall policy changes
- Later phases involve much “heavier lifting”
- Infrastructure changes, large-scale security rollouts
Reconstitution (Step 4 of Incident Response lifecycle)
Learn and improve
- No system is perfect
Post-incident meeting
- Invite everyone affected by the incident
Don’t wait too long
- Memories fade over time
- Some recommendations can be applied to the next event
Lessons learned (Step 4 of Incident Response lifecycle)
Test yourselves before an actual event
- Scheduled update sessions (annual, semi-annual, etc)
Use well-defined rules of engagement
- Do not touch the production systems
Very specific scenario
- Limited time to run the event
Evaluate response
- Document and discuss
Exercise
Performing a full-scale disaster drill can be costly
- And time consuming
Many of the logistics can be determined through analysis
- You don’t physically have to go through a disaster or drill
Get key players together for a tabletop exercise
- Talk about a simulated disaster
Tabletop exercises
Include responders
- A step beyond a tabletop exercise
- Many moving parts
Test processes and procedures before an event
- Walk through each step
- Involve all groups
- Reference actual response materials
Identifies actual faults or missing steps
- The walkthrough applies the concepts from the tabletop exercise
Walkthroughs
Test with a simulated event
- Phishing attack, password requests, data breaches
Going phishing
- Create a phishing email attack
- Send to your actual user community
- See who bites
Test internal security
- Did the phishing get past the filter
Test the users
- Who clicked?
- Additional training may be required
Simulation
Keeping a good ongoing relationship with customers of IT
- These can be internal or external customers
- An incident response will require teamwork
- Without the stakeholder, IT would not exist
Most of this happens prior to an incident
- Ongoing communication and meetings
- Exercises should include the customers
Continues after the incident
- Prepare for the next event
Stakeholder management
Get your contact list together
- There are a lot of people in the loop
Corporate/Organization
- CIO/Head of Information Security/Internal Response Teams
Internal non-IT
- Human resources, public affairs, legal department
External contacts
- System owner, law enforcement
- US-CERT (for U.S. Government agencies)
Communication plan
If a disaster happens, IT should be ready
- Part of the business continuity plan
- Keep the organization up and running
Disasters are many and varied
- Natural disasters
- Technology or system failures
- Human-created disasters
A comprehensive plan
- Recovery location
- Data recovery method
- Application restoration
- IT team and employee availability
Disaster recovery plan
Not everything goes according to plan
- Disasters can cause a disruption to the norm
We rely on our computer systems
- Technology is pervasive
There needs to be an alternative
- Manual transactions
- Paper receipts
- Phone calls for transaction approvals
These must be documented and tested before a problem occurs
Continuity of operations planning (COOP)
Receives, reviews, and responds
- A predefined group of professionals
Determine what type of events require a response
- A virus infection? Ransomware? DDoS?
May or may not be part of the organizational structure
- Pulled together on an as-needed basis
Focuses on incident handling
- Incident response, incident analysis, incident reporting
Incident response team
Backup your data
- How much and where? Copies, versions of copies, lifecycle of data, purging old data
Regulatory compliance
- A certain amount of data backup may be required
Operational needs
- Accidental deletion, disaster recovery
Differentiate by type and application
- Recover the data you need where you need it
Retention policies
A constantly moving chessboard
- The rules are also constantly changing
Response and intelligence teams need assistance
- Gather and maintain ongoing reconnaissance
Understand attacks
- Many different vectors
Access the risk in an organization
- Determine if the risk exists
- Use appropriate mitigation
Attacks and responses
Determine the actions of an attacker
- Identify points of intrusion
- Understand methods used to move around
- Identify potential security techniques to block future attacks
MITRE ATT&CK framework
Designed by the intelligence community
- Guide analysts to help understand intrusions
- Integrates well with other frameworks
Apply scientific principles to intrusion analysts
- Measurement, testability, and repeatability
- Appears simple but is remarkably complex
An adversary deploys a capability over some infrastructure against a victim
- Use the model to analyze and fill in the details
Diamond Model of Intrusion Analysis
Seven phases of a cyber attack
- A military concept
Cyber Kill Chain
The scanner looks for everything
- The signatures are the key
The vulnerabilities can be cross-referenced online
- Almost all scanners give you a place to go
Some vulnerabilities cannot be definitively identified
- You’ll have to check manually to see if a system is vulnerable
- But the scanner gives you a heads-up
Identity vulnerability
Lack of security controls
- No firewall
- No anti-virus
- No anti-spyware
Micro configurations
- Open shares
- Guess access
Real vulnerabilities
- Especially newer ones
- Occasionally the old ones
Vulnerability scan results
A vulnerability is identified that doesn’t really exist
This is different than a low-severity vulnerability
- It’s real but it may not be your highest priority
Update to the latest signatures
- If you don’t know about it, you can’t see it
Work with the vulnerability detection manufacturer
- They may need to update their signatures for your environment
False positives
A vulnerability exists, but you didn’t detect it
False negative
Logging of security events and information
Security alerts
- Real-time information
Log aggregation and long-term storage
- Usually includes advanced reporting features
Data correlation
- Link diverse data types
Forensic analysis
- Gather details after an event
Getting the data
- Sensors and logs
* Operating systems
* Infrastructure devices
* Netflow sensors
-Sensitivity settings
* Easy to be overwhelmed with data
* Some information is unnecessary
* Informational, Warning, urgent
Viewing the data
- Trends
* Identify changes over time
* Easily view constant attack metrics
- Alerts
* Identify a security event
* View raw data
* Visualize the log information
- Correlation
* Combine and compare
* View data in different ways
Security Information and Event Management (SIEM)
Switches, routers, access points, VPN concentrators
- And other infrastructure devices
Network changes
- Routing updates
- Authentication issues
- Network security issues
Network log files
Operating system information
- Extensive logs
- File system information
- Authentication details
Can also include security events
- Monitoring apps
- Brute force, file changes
May require filtering
- Don’t forward everything
System log files
Specific to the application
- Information varies widely
Windows - Event Viewer / Application Log
Linux / macOS - /var/log
Parse the log details on the SIEM
- Filter out unneeded info
Application log files
Detailed security-related information
- Blocked and allowed traffic flows
- Exploit attempts
- Blocked URL categories
- DNS sinkhole traffic
Security devices
- IPS, firewall, proxy
Critical security information
- Documentation of every traffic flow
- Summary of attack info
- Correlate with other logs
Security log files
Web server access
- IP address, web page URL
Access errors
- Unauthorized or non-existent folders/files
Exploit attempts
- Attempt to access files containing known vulnerabilities
Server activity
- Startup and shutdown notices
- Restart messages
Web log files
View lookup requests
- And other DNS queries
IP address of the request
- The request FQDN or IP
Identify queries to known bad URLs
- Malware sites, known command and control domains
Block or modify known bad requests at the DNS server
- Log the results
- Report on malware activity
DNS log files
Know who logged in (or didn’t)
- Account names
- Source IP address
- Authentication methods
- Success and failure reports
Identify multiple failures
- Potential brute force attacks
Correlate with other events
- File transfers
- Authentications to other devices
- Application installation
Authentication log files
Store all contents of memory into a diagnostic file
- Developers can use this info
Easy to create
- Windows Task Manager > Right click > Create dump file
Some applications have their own process
- Contact the appropriate support team for additional details
Dump files
View inbound and outbound call info
- Endpoint details, gateway communication
Security information
- Authentications, audit trails
SIP traffic logs
- Session Initiation Protocol
- Call setup, management, and teardown
- Inbound and outbound calls
- Alert on unusual numbers or country codes
VoIP and Call Manager logs
Standard for message logging
- Diverse systems create a consolidated log
Usually a central logging receiver
- Integrated into the SIEM
Each log entry is labeled
- Facility code (program that created the log) and severity level
Options
- Rsyslog - “Rocket-fast System for log processing”
- syslog-ng - A popular syslog daemon with additional filtering and storage options
- NXLog - Collection from many diverse log types
Syslog
Linux has a lot of logs
- The OS, daemons, applications, etc
System logs are stored in a binary format
- Optimized for storage and queries
- Can’t read them with a text editor
Provides a method for querying the system journal
- Search and filter
- View as plain text
journalctl
The fundamental network statistic
- Percentage of network use over time
Many different ways to gather this metric
- SNMP, NetFlow, sFlow, IPFIX protocol analysis, software agent
Identify fundamental issues
- Nothing works properly if bandwidth is highly utilized
Bandwidth monitors
Data that describes other data sources
Email
- Header details, sending servers, destination address
Mobile - Type of phone, GPS location
Web - Operating system, browser type, IP address
Files - Name, address, phone numbers, title
Metadata
Gather traffic statistics from all traffic flows
- Shared communication between devices
- Standard collection method
- Many products and options
Probe and collector
- Probe watches network communication
- Summary records are sent to the collector
Usually a separate reporting app
- Closely tied to the collector
NetFlow
A newer, NetFlow-based standard
- Evolved from NetFlow v9
Flexible data support
- Templates are used to describe the data
IP Flow Information Export (IPFIX)
Only a portion of the actual network traffic
- So, technically not a flow
Usually embedded in the infrastructure
- Switches, routers
- Sampling usually occurs in the hardware/ASICs
Relatively accurate statistics
- Useful information regarding video streaming and high-traffic applications
sFlow
Solve complex application issues
- Get into the details
Gathers packets on the network
- Or in the air
- Sometimes built into the device
View detailed traffic information
- Identify unknown traffic
- Verify packet filtering and security controls
- View a plain-language description of the application data
Protocol analyzer output
The end user device
- Desktop PC, laptop, tablet, phone, etc.
Many ways to exploit a system
- OS vulnerability, malware, user intervention
Security team has to cover all of the bases
- Recognize and react to any malicious activity
The endpoint
Any application can be dangerous
- Vulnerabilities, trojan horses, malware
- Security policy can control app execution
Approved list
- Nothing runs unless it’s approved
- Very restrictive
Blocklist/deny list
- Nothing on the “bad list” can be executed
- Anti-virus, anti-malware
Quarantine
- Anything suspicious can be moved to a safe area
Application approved/deny lists
Decisions are made in the operating system
- Often built-in to the operating system management
- Application hash
Only allows applications with this unique identifier
Certificate
- Allow digitally signed apps from certain publishers
Path
- Only run applications in these folders
Network zone
- The apps can only run from this network zone
Examples of application approval lists
Manage application flows
Block dangerous applications
Firewall rules
Enable or disable phone and tablet functionality
Regardless of physical location
Mobile Device Manager (MDM)
Block transfer of personally identifiable information (PII) or sensitive data
Credit card numbers, social security numbers, etc.
Data Loss Prevention (DLP)
Limit access to untrusted websites
Block known malicious sites
Large blocklists are used to share suspicious URLs
Content filter/URL filter
Manage device certificates to verify trust
Revoking a certificate effectively removes access
Updating or revoking certificates
Administratively isolate a compromised device from everything else
- Prevent the spread of malicious software
- Prevent remote access or C2 (Command and Control)
Isolation
Isolation to a remediation LAN
No communication to other devices
Network isolation
Limit application execution
Prevent malicious activity but allow device management
Process isolation
Run each application in its own sandbox
Limit interaction with the host operating system and other applications
Ransomware would have no method of infection
Contains the spread of a multi-device security event, i.e., ransomware
- Disable administrative shares
- Disable remote management
- Disable local account access and change local administrator password
Application containment
Separate the network
- Prevent unauthorized movement
- Limit the scope of a breach
Segmentation
Integrate third-party tools and data sources
Make security teams more effective
Security Orchestration, Automation, and Response (SOAR)
Linear checklist of steps to perform
Step-by-step approach to automation
Reset a password, create a website certificate, back up application data
Runbooks
Conditional steps to follow; a broad process
Investigate a data breach, recover from ransomware
Playbooks
Collect and protect information relating to an intrusion
- Many different data sources and protection mechanisms
Standard digital forensic process
- Acquisition, analysis, and reporting
Must be detail oriented
- Take extensive notes
Digital forensics
A legal technique to preserve relevant information
- Prepare for impending litigation
- Initiated by legal counsel
Hold notification
- Records custodians are instructed to preserve data
Separate repository for electronically stored information (ESI)
- Many different data sources and types
- Unique workflow and retention requirements
Ongoing preservation
- Once notified, there’s an ongoing obligation to preserve data
Legal hold
A moving record of the event
- Gathers information external to the computer and network
Captures the status of the screen and other volatile information
- Today’s mobile video devices are remarkable
Don’t forget security cameras and your phone
The video content must also be archived
- May have some of the most important record of information
Capture video
Not all data can be used in a court of law
- Different rules in different jurisdictions
Legal authorization
- Search and seizure of information
Procedures and tools
- The correct tools used the correct way
Laboratories
- Proper scientific principles used to analyze the evidence
Technical and academic qualifications
- Competence and qualifications of experts
Admissibility
Control evidence
- Maintain integrity
Everyone who contacts the evidence
- Use hashes
- Avoid tampering
Label and catalog everything
- Digitally tag all items for ongoing documentation
- Seal and store
Chain of custody
The time zone determines how the time is displayed
- Document the local device settings
Different file systems store timestamps differently
- FAT: Time is stored in local time
- NTFS: Time is stored in GMT
Record the time offset from the operating system
- The Windows Registry
- Many different values (daylight savings time, time change information, etc)
Recording time offsets
System logs
- Documents important operating system and application events
Export and store for future reference
- Filter and parse
Log store
- Linux: /var/log
- Windows: Event Viewer
Event logs
Who might have seen this?
- You won’t know until you ask
Interview and document
- These folks might not be around later
Not all witness statements are 100% accurate
- Humans are fallible
Interviews
Document the findings
- For Internal use, legal proceedings, etc
Summary information
- Overview of the security incident
Detailed explanation of data acquisition
- Step-by-step method of the process
The findings
- An analysis pf tje data
Conclusion
- Professional result, given the analysis
Reports
How long does data stick around?
- Some media is much more volatile than others
- Gather data in order from the most volatile to less volatile
Order most to least volatile:
1) CPU registers, CPU cache
2) Router table, ARP cache, process table, kernel statistics, memory
3) Temporary file systems
4) Disk
5) Remote logging and monitoring data
6) Physical configuration, network topology
7) Archival media
Order of volatility
Copy everything on a storage drive
- Hard drive, SSD, flash drive
Drive image preparation
- Power down to prevent changes
- Remove storage drive
Connect to imaging device
- With write-protection
Forensic clone
- Bit-for-bit copy
- Preserve all data (even the “deleted” data)
Disk
A difficult target to capture
- Changes constantly
- Capturing data changes the data
Memory dump
- Grab everything
- Many third-party tools
Important data
- Browser history
- Clipboard information
- Encryption keys
- Command history
Random Access Memory (RAM)
Used by different operating systems
- Slightly different usage in each
A place to store RAM when memory is depleted
- There’s a lot more space on the storage device
- Transfer pages of RAM to a storage device
Can also contain portions of an application
- Page out portions that aren’t in use
Contains data similar to a RAM dump
- Anything active on the system
Swap/pagefile
OS files and data
- May have been modified
Core operating system
- Executable files and libraries
- Can be compared later to known-good files
- Usually captured with a drive image
Other OS data
- Logged in users
- Open ports
- Processes currently running
- Attached device list
Operating System
Mobile device and tablets
- A more challenging forensics task
Capture data
- Use an existing backup file
- Transfer image over USB
Data
- Phone calls
- Contact information
- Text messages
- Email data
- Images and movies
Device
Extract the device firmware
- Rootkits and exploited hardware device
- A reprogrammed firmware or ROM
Specific to the platform
- Firmware implementations vary widely
Attacker gains access to the device
- Maintains access through OS updates
Data dictionary
- Exploit data
- Firmware functionality
- Real-time data
Firmware
Generally associated with virtual machines
- A point-in-time system image
Incremental between snapshots
- Original image is the full backup
- Each snapshot is incremented from the last
- Restoring requires the original and all snapshots
Contains all files and information about a VM
- Similar to the system image
- Operating system, applications, user data, etc
Snapshot
Store data for use later
- Often used to increase performance
- Many different caches (CPU, disk, Internet, etc.)
Can contain specialized data
- CPU cache is very short-term instruction storage
Some data may never be used
- Erased after a specified timeframe or when the cache is full
- Browser caches are often long-lived
Data
- URL locations
- Browser page components (text, images)
Cache
Gather information about and from the network
- Network connections, packet captures
Inbound and outbound sessions
- OS and application traffic
Packet data
- Capture raw network data
- May include long-term packet captures
Third-party packet captures
- Firewalls, IPS, etc.
Network
Digital items left behind
- Every contact leaves a trace
- May not be obvious to access
Artifact locations
- Log information
- Flash memory
- Prefetch cache files
- Recycle Bin
- Browser bookmarks and login
Artifacts
Adding complexity to the digital forensics process
- Cloud technologies
Technical challenges
- Devices are not totally in your control
- There may be limited access
- Associate data with a specific user
Legal issues
- Laws are different around the world
- The rules may not be immediately obvious
Forensics in the cloud
Common to work with business partners
- Data sharing
- Outsourcing
Cloud computing providers
- Can hold all of the data
- Manage Internet access
- Are they secure?
Should be in the contact
- A legal agreement to have the option to perform a security audit at any time
- Everyone agrees to the terms and conditions
- Ability to verify security before a breach occurs
Right to audit clauses
Cloud computing technology appeared relatively quickly
- The legal world is scrambling to catch up
Forensics professionals must know their legal rights
- Data in a different jurisdiction may be bound by very different regulators
Data stored in the cloud may not be located in the same country
- Location of the data center may determine how data can be treated
Location of the data is critical
- Legal frameworks vary widely between countries
- Some countries don’t allow electronic searches outside of their borders
Regulatory/jurisdiction
Notification laws
- If consumer data is breached, the consumer must be informed
- Vary widely across countries and localities
- If you are in the cloud, you’re a global entity
Notification requirements also vary
- Type of data breached
- Who gets notified
- How quickly
Data breach notification laws
Hashing
- Cryptographic integrity verification
- A digital “fingerprint”
Checksums
- Protects against accidental changes during transmission
- A relatively simple integrity check
- Not designed to replace a hash
Provenance
- Documentation of authenticity
- A chain of custody for data handling
- Blockchain technology
Integrity
Handling evidence
- Isolate and protect the data
- Analyze the data later without any alterations
Manage the collection process
- Work from copies
- Manage the data collection from mobile devices
Live collection has become an important skill
- Data may be encrypted or difficult to collect after powering down
Follow best practices to ensure admissibility of data in court
- What happens now affects the future
Preservation
Collect, prepare, review, interpret, and produce electronic documents
Gathers data required by the legal process
- Does not generally involve analysis
- There’s no consideration of intent
Works together with digital forensics
- The e-discovery process obtains a storage device
- Data on the drive is smaller than expected
- Forensics experts determine that data was deleted and attempt to recover the data
Electronic discovery (E-discovery)
Extract missing data without affecting the integrity of the data
- Requires training and expertise
The recovery process can vary
- Deleted file
- Hidden data
- Hardware or software corruption
- Storage device is physically damaged
Data recovery
Proof of data integrity and the origin of the data
- The data is unchanged and really did come from the sender
- Hashing the data
Authentication that is genuine with high confidence
- The only person who could have sent the data is the sender
Message Authentication Code (MAC)
- The two parties can verify non-repudiation
Digital Certificate
- The non-repudiation can be publicly verified
Non-repudiation
A focus on key threat activity for a domain
Business sectors, geographical regions, countries
Gather information from internal threat reports, third-party data sources, and other data inputs
Determine the threat landscape based on the trends
Strategic intelligence
Prevent hostile intelligence operations
Discover and disrupt foreign intelligence threats
Gather threat information on foreign intelligence operations
Strategic counterintelligence
