Your SlideShare is downloading. ×

Forensics for the Defense


Published on

Forensic techniques are not just for law enforcement. You need to supplement your existing security package and provide evidence of due diligence in the event of an incident. Test your security before …

Forensic techniques are not just for law enforcement. You need to supplement your existing security package and provide evidence of due diligence in the event of an incident. Test your security before someone else does.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Crime scenes and evidence, Bringing criminals to justice, Secret files on devicesNeatly laid out trail of evidence, Police chases, GunfireEverything solved by the end of the TV show - in 30 minutes or less (commercials not included, of course)
  • Law enforcement: Critical evidence in cases, Breaches/Cyber attacks Emerging - Security: Verification, penetration testing
  • "Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
  • Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
  • Network forensics - much more information Search and web history, timing of requests and keystrokes, location data Sources - firewall logs, DNS logs, IDS logs, packet captures
  • Forensic techniques - more than just law enforcement - More flexibility - Experimenting with evidence may be desirable - Minimal legal issues, especially for research purposes
  • - Time consuming process - Requires attention to detail - Documentation! - Consider time involved when determining if necessary
  • -Verification - application analysis and verification -Pen testing - encrypted laptop -Malware/Exploit/Breach Analysis - be careful, legal concerns
  • -Consider legal ramifications, especially if there is a possibility of criminal activity -Know your limits -Involve law enforcement-Critical for malware/breach investigations
  • -Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
  • Application verification - Don’t trust the developer’s word!
  • For application verification -Control image - system with application, simplify system as much as possible -Test cases: run application, generate data -Analysis: Investigate application process/behavior - MAC times, search for interesting data
  • Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
  • Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
  • Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
  • Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
  • Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
  • -Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
  • We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - company would not be able to determine information was stolen
  • Transcript

    • 1. Tom KopchakForensics for the Defense(of your network)
    • 2. •Who am I?•Why am I here, and whatgot me here?•Why I am passionateabout computer security?About the Presenter –Who am I?
    • 3. You do"forensics"?!?That soundsawesome!!
    • 4. The Truth• Evidence can be hard to come by• Any and all evidence must be carefullyaccounted for and documented• Cases involving movie-like circumstances arefew and far between
    • 5. Forensics = Valuable• Traditional - Law enforcement• Emerging - Security
    • 6. Traditional Forensics – Disks
    • 7. Next Steps – Memory
    • 8. Expanding the Scope
    • 9. Leveraging Forensicsfor Business
    • 10. Commonalities
    • 11. Practical Applications
    • 12. • Forensic Verification• Forensic Penetration Testing• Malware/Exploit/Breach AnalysisPractical Applications
    • 13. A word of caution...• Permission!
    • 14. Why Forensics?• Security is not a checkbox• Simulate attack• Identify shortcomings
    • 15. Forensic Verification• Applications might store temporary/cacheddata• PCI implications
    • 16. Test Configuration• Control image• Test Cases• Analysis
    • 17. Encrypted Laptop – Stolen!It’s safe, right?
    • 18. The Solution – ForensicsPenetration TestingZero Knowledge vs. Authenticated Testing
    • 19. The Real TestFully Encrypted – Administrator Confidence 100%
    • 20. Starting the AttackMachine Powered Off – Full Disk Images Created
    • 21. Breakthrough• Grace period for pre-boot authentication lockout
    • 22. Mounting the attackDowngrade memory – Leverage DMA – Exploit OSResult: Full Admin Access to Entire System
    • 23. Failure of Encryption?• Encryption Did Not Fail!• Convenience vs. Security• Zero knowledge attack
    • 24. Forensics for theDefense – One Systemat a Time• System vulnerabilities unknown until tested• Forensic Penetration testing = same purpose astraditional penetration test• Learn and improve from mistakes
    • 25. Conclusions• Forensic techniques arenot just for lawenforcement• Supplement your existingsecurity package• Provide evidence of duediligence in the event of anincident• Test your security beforesomeone else does
    • 26. Wrap Up/QA