Search

Anti-Forensics: Real world identification, analysis and prevention

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    Anti-Forensics: Real world identification, analysis and prevention - Presentation Transcript

    1. Digital Anti-Forensics Real World Identification, Analysis & Prevention M ic h a e l L e g a r y IR -1 0 N ovember 7, 2007 Copyright 2005 Seccuris Inc
    2. Introduction Michael Legary Founder, Seccuris Inc. CISSP, CISA, CISM, CCSA, GCIH, SCF CNE, MCSE, CCNA Copyright 2005 Seccuris Inc
    3. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    4. Organization A - Agrieng Inc • Small Agri-Business • Sales +/- 2M & 25 Employees • Designs tractors, bailers, etc • Heavy use of electronic drafting & engineering software • Bids on contract work for major manufacturers Copyright 2005 Seccuris Inc
    5. Organization A - Agrieng Inc • Outbid & Outsold by foreign competitor • One particular competitor’s designs look eerily similar Copyright 2005 Seccuris Inc
    6. Organization B – ServPro GmbH • Large Service Provision company • Sales +/- 200M & 2500 Employees • Provides Information Management Solutions to world wide organizations • Specialized database and information mining technology separate ServPro from competitive organizations • Currently handles personal information of over 50 million individuals Copyright 2005 Seccuris Inc
    7. Organization B – ServPro GmbH • A few clients are reporting an increase in identity theft reports by their constituents. • There seems to be a pattern in the types of information being reported as stolen. Copyright 2005 Seccuris Inc
    8. Organization C – Government Department • Federal organization providing legal related services • Handles specialty investigations from multiple provinces • Conducting investigation in high tech criminal activity Copyright 2005 Seccuris Inc
    9. Organization C – Government Department • Suspects are continually evading capture • Individuals caught seem to have been prepared for questioning • Little to no evidence identified when caught Copyright 2005 Seccuris Inc
    10. Forensic Investigation • What is going on? • Who is behind the activity? • Why are they doing it? • When did the start / stop? • Where are they located? • How is the activity occurring? • Has a crime taken place? Copyright 2005 Seccuris Inc
    11. Forensic Investigation • Often in cases involving information systems standardized forensic investigation does not occur until it is known that suspicious activity is happening • Where do we look for this activity? Copyright 2005 Seccuris Inc
    12. Digital Evidence & Forensics • Digital evidence exists all around us • Tools and techniques available to investigators has greatly increased in recent time • Reliance on digital evidence is becoming a reality • Where is evidence on a system? Copyright 2005 Seccuris Inc
    13. User Console User Level Kernel Interface Memory Kernel Level File System Hardware Level Copyright 2005 Seccuris Inc
    14. Evidence exists in: Memory • System Memory • System Cache Program Temp Log Temp File File System • File System • File System Cache Program Config File Target File Log File Temp Log Temp File Copyright 2005 Seccuris Inc
    15. Evidence exists in: User Level Service • Running Programs Kernel Interface • Running Services Kernel Level • Active Processes Hardware Level Copyright 2005 Seccuris Inc
    16. User Console User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Target File Log File Config File Program Temp Log Temp File Hardware Level Copyright 2005 Seccuris Inc
    17. Standardized process for digital evidence Standard processes being created for: • Attack Identification • Forensic Investigation • Image Capture • Image Analysis • Evidence identification Copyright 2005 Seccuris Inc
    18. Standardized process for digital evidence Forensic investigations are initiated from evidence collected during the attack identification process. If an investigator can not identify an attack, forensic investigation will not be conducted; Allowing attackers to go unnoticed. Copyright 2005 Seccuris Inc
    19. User Console Identification User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Temp Log Temp File Hardware Level Copyright 2005 Seccuris Inc
    20. User Console Forensic Investigation User Level Service Kernel SYSTEM STATE IMAGE Interface Memory MEMORY IMAGE Temp Log Temp File Kernel Level File System Config File Program Target File Log File HARD DRIVE IMAGE Temp Log Temp File Hardware Level Copyright 2005 Seccuris Inc
    21. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    22. Anti-Forensics What is it? • Practices and processes to prevent, counter-act or neutralize an investigators ability to identify or recover evidence for use in an investigation. Copyright 2005 Seccuris Inc
    23. Anti-Forensics The common purpose: • Prevent detection of the attacker • Prevent an investigator from gaining usable knowledge • Destroy, hide, prevent creation of, or transform data Copyright 2005 Seccuris Inc
    24. Anti-Forensics The common purpose: • Even if an attacker is detected, evidence regarding their means, methods and motives will be altered preventing accurate investigation or prosecution. Copyright 2005 Seccuris Inc
    25. The origins of Anti-forensics • Traditional techniques • Physical • Financial • Criminal • Good Examples • On Television Copyright 2005 Seccuris Inc
    26. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    27. Anti-forensics – Methods Overview • In order to maintain covert activities of any sort there is a requirement to Destroy, Hide, Prevent Creation of, or transform data to remain hidden. Copyright 2005 Seccuris Inc
    28. Anti-forensics – Methods Overview Destruction of data • Goal • Significantly Damage the Integrity of Evidence • Physical Destruction of Data • Magnetic Techniques (Degaussing) • Brute Force • Logical Destruction of Data • Reinitialize Media • Significantly change composition of data on media Copyright 2005 Seccuris Inc
    29. Anti-forensics – Methods Overview Hiding of data • Goal • Limit identification and collection of evidence • Obfuscation • Information Manipulation • Steganography • Encryption • Data Encryption • Media Encryption Copyright 2005 Seccuris Inc
    30. Anti-forensics – Methods Overview Data creation prevention • Goal • Prevent creation of evidence • Direct Prevention • Root Kits • Modification of System Binaries • Indirect Prevention • Limit system functionality – DoS – to prevent creation of data Copyright 2005 Seccuris Inc
    31. Anti-forensics – Methods Overview Transformation Techniques • Goal • Maintain or Re-establish investigator trust in falsified data as evidence. • Conventional Techniques • Root Kits • Advanced Techniques • Shared Library Hijacking Copyright 2005 Seccuris Inc
    32. User Console Identification User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Attacker Temp Log Temp File Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    33. Anti-forensics – Methods Overview Transformation Techniques • One of the most complex technical attacks being performed today • Understanding and appreciation for methods used will allow us to reform our investigation techniques Copyright 2005 Seccuris Inc
    34. Anti-forensics – Methods Overview Transformation Techniques • WHY? • Detailed forensic investigation may not start if there is no suggestion of system tampering • These techniques can make very ugly systems look like good ones… Copyright 2005 Seccuris Inc
    35. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    36. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
    37. Anti-Forensics – Traditional Techniques Conventional transformation methods • Initial System Compromise • Deception of Security Personal Copyright 2005 Seccuris Inc
    38. Conventional transformation methods • Initial System Compromise • Breach of system due to known vulnerability • Attacker gains access to system, attempts to by-pass detection Copyright 2005 Seccuris Inc
    39. Conventional transformation methods • Deception of Security Personal • Deleting Files • Hiding files / logs / activities • Root Kits • Tools used to identify suspicious activity (In BSD) • Disk Tools: df, ls ,du • Process Tools: ps, top, crontab • Network Tools: netstat, sockstat, fstat, tcpdump • Be suspicious of your compiler Copyright 2005 Seccuris Inc
    40. Traditional Techniques – AgriEng Inc • Attacker identifies vulnerability • Breaks into system • Removes logs • Installs rootkit • Downloads engineering files • Configures backdoor into system Copyright 2005 Seccuris Inc
    41. User Console User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Attacker Temp Log Temp File Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    42. User Console Identification User Level Service Kernel Interface Memory Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    43. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
    44. Anti-Forensics – Traditional Techniques Advanced Transformation Methods • Kernel Modules and hijacking systems calls • Kernel level root kit • Provides undetected and almost unlimited access to a compromised system • Allows attackers to perform a variety of functions such as: • Hide processes • Hide files and registry keys • Log Keystrokes • Redirect Executable Files • Issue Commands • Generates own hidden TCP/IP Stack • Remote administration Copyright 2005 Seccuris Inc
    45. Traditional Techniques – ServPro GmbH • Attacker identifies vulnerability • Breaks into system • Removes logs • Installs kernel level rootkit • Installs System Sniffer • Created automated system to send out client information Copyright 2005 Seccuris Inc
    46. User Console User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Attacker Temp Log Temp File Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    47. User Console Identification User Level Service Kernel Interface Memory Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    48. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
    49. Anti-Forensics - Traditional Techniques Traditional Transformation Detection Methods • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching Copyright 2005 Seccuris Inc
    50. Transformation Detection Methods • Cryptographic hashing for data integrity • Using fingerprints investigators can ensure files come from trusted sources, or weed out known attack tools • MD5 / SHA / RIPE-MD • HIDS – Use of Cryptographic Hashing • Tripwire, Axent, Cybersafe, ISS Copyright 2005 Seccuris Inc
    51. Cryptographic hashing for data integrity Trusted Command Executable % md5 ps.trusted MD5 (p s .tru s te d ) = 9 50 1e f2 86 e f3a b 86 87 b 7 9 20 c a 4 fe e 2 9 f Un-trusted Command Executable % md5 /bin/ps MD5 (/ in / ) = b ps 02b2f8087896314bafd4e9f3e00b35fb Copyright 2005 Seccuris Inc
    52. User Console Identification Target File Config File Program User Level Service Att Attacker Attacker File Program Kernel Interface NOT SAME Memory ATTACKGood Known DETECTED! Attacker Program Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    53. Transformation Detection Methods • Process Analysis • Processes contain content such as: • Open files • Memory Maps • Ownership Labels • Resource Consumption Statistics • Analysis of these characteristics allow an investigator to identify discrepancies in common system activity • Utilities such as: • PS  –AUX • top • proc fs Copyright 2005 Seccuris Inc
    54. User Console Identification Target File Config File Program User Level Known Good Service Service Att NOT SAME Attacker Attacker File Program Kernel ATTACK Interface Memory DETECTED! Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    55. Transformation Detection Methods • Network Monitoring • NIDS • Firewall Monitoring • Bandwidth Trending • Output can identify use of known attacks, or privileged accounts Copyright 2005 Seccuris Inc
    56. Transformation Detection Methods • Network Monitoring No v 10 2 1:59 :06 <4.1> 1 72 .1 6.1 .2 0 s no rt: [1:4 6 6:1 ] SHELLCODE x86 stealth NOOP [P rio rity: 2]: {P R OTO0 01 } 1 0.0.1 .1 25 -> 10 .5 .1.3 • Example Snort® log which has detected the op- codes or machine instructions for a “stealth NOOP”. Copyright 2005 Seccuris Inc
    57. Transformation Detection Methods • Network Monitoring % tcpdump -nett -i pflog0 lis te n in g on pflo g 0, link-type P F LOG (Ope nB S D p flog file ), c a pture s iz e 96 b yte s 1 1 0 0 2 2 1 1 36.6 7744 1 rule 1/0(match): b loc k in o n s is 0: IP 10 .0.0.35.4646 > 20 5.1 1 .1 1 .1 1 .4 4 5 : S 5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK> 1 1 0 0 2 2 1 1 38.3 7042 3 rule 1 / a tc h ): b loc k in on s is 0 : IP 10 .0.0.35.4646 > 205.11 .1 1 .1 1 .4 4 5 : S 0(m 5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK> • Example use of tcpdump on the OpenBSD® PF Firewall Copyright 2005 Seccuris Inc
    58. User Console Identification Target File Config File Program User Level Service Att Attacker Attacker File Program Kernel Interface Memory ATTACK DETECTED! Attacker Program Temp Log Temp File Kernel Level File System Network Config File Program Target File Intrusion Detection System Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    59. Transformation Detection Methods • Signature / Pattern Matching • Database of known patterns and signatures • Binary Sequence Matching • Used in NIDS / HIDS / Investigative Tools Copyright 2005 Seccuris Inc
    60. Transformation Detection Methods • Signature / Pattern Matching % file libtransform.so.1 lib tra n s form .s o .1 : E LF 32 -b it LSB shared object, In te l 8 03 8 6, ve rs ion 1 (F re e B S D), s trip p e d • Output of the “file” utility on a shared object. • The “file” utility attempts to figure the file type for a specified file. Copyright 2005 Seccuris Inc
    61. User Console Identification Target File Config File Program User Level Service Att Attacker Attacker File Program Kernel Interface Memory 1. File Size 2. Header Information Attacker Program 3. File Content 4. Unknown Pattern Temp Log Temp File Kernel Level File System ATTACK DETECTED! Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    62. Investigating – AgriEng Inc • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching Copyright 2005 Seccuris Inc
    63. User Console Identification Target File Config File Program User Level Service Att Attacker ATTACK Attacker File Program Kernel DETECTED! Interface Memory Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    64. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
    65. Anti-Forensics - Traditional Techniques Advanced Transformation Detection Methods • Advanced Transformation Detection methods • Detection of system call hijacking Copyright 2005 Seccuris Inc
    66. Advanced Transformation Detection Methods • Detection of system call hijacking • System Call hijacking changes the address the system references from a known module to their own “attacker” module • If an investigator can find inconsistencies in programs making system calls they will be able to detect an attack Copyright 2005 Seccuris Inc
    67. Advanced Transformation Detection Methods • Advanced Transformation Detection methods i f ( s y s e n t [ S YS _o p e n ] . s y _c a l l ! = o p e n ) pa ni c ( “ ope n s ys t e m c a l l ha s be e n hi - j a c ke d” ) ; i f ( s y s e n t [ S YS _wr i t e ] . s y _c a l l ! = wr i t e ) p a n i c ( “ wr i t e s y s t e m c a l l h a s b e e n h i - j a c k e d ” ) ; • Code snippet for the FreeBSD® operating system which when executed in the context of the kernel, could be used to detect the presence of a hi-jacked system call. Copyright 2005 Seccuris Inc
    68. Investigating – ServPro GmbH • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching • Detection of system call hijacking Copyright 2005 Seccuris Inc
    69. User Console Identification Config File Target File User Level Service Program Kernel Interface Memory Attacker Program ATTACK Temp Log Temp File DETECTED! Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
    70. Overview • Transformation Attacks • Traditional Methods • Emerging Methods • Emerging Transformation Methods • Emerging Detection Copyright 2005 Seccuris Inc
    71. Anti-Forensics – Emerging Techniques Emerging transformation methods • Hijacking of user space library calls Copyright 2005 Seccuris Inc
    72. Dynamically Standard Libraries Memory Linked Libraries • More efficient use of system resources • Loads from User Space Dynamically Linked • Multiple programs utilize Memory same code libraries for similar functions • Attackers can change program behavior without modifying program or libraries Copyright 2005 Seccuris Inc
    73. Dynamically Linked Libraries Memory Copyright 2005 Seccuris Inc
    74. Dynamically Linked Libraries Memory Copyright 2005 Seccuris Inc
    75. Emerging transformation methods • Hijacking of user space library calls • Information Transformation • Takes “Ugly / Untrusted” information and makes it look “Good / Trusted” • Scenarios • System Logs • Audit Logs • Existing Files • IDS • FW • Dynamic Review Copyright 2005 Seccuris Inc
    76. Emerging Techniques – Government Department • Attacker identifies vulnerability • Breaks into system • Installs User Space Module for Shared Library Hi-jacking • Creates automated system to send out client information • Avoids capture through regular methods from investigators Copyright 2005 Seccuris Inc
    77. User Console Att Attacker File User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Temp Log Temp File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
    78. User Console Identification User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Temp Log Temp File Attacker File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
    79. Investigating – Government Department • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching • Detection of system call hijacking Copyright 2005 Seccuris Inc
    80. User Console Identification Temp Log Config File Shared Object File User Level Service Temp File Target File No Attack Log File Program Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Temp Log Temp File Attacker File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
    81. Overview • Transformation Attacks • Traditional Methods • Emerging Methods • Emerging Transformation Methods • Emerging Detection Copyright 2005 Seccuris Inc
    82. Anti-Forensics – Emerging Techniques Emerging transformation detection methods • Shared Library Analysis Copyright 2005 Seccuris Inc
    83. Emerging transformation detection methods • Shared Library Analysis • Analyze active processes to identify links to “Ugly / untrusted” shared libraries. • Using LSOF to analyze VMCORE • Identifies if an untrusted object is being used by the system • Using objdump to analyze dynamic symbols • Identifies which functions are being hijacked by the untrusted object Copyright 2005 Seccuris Inc
    84. Investigating – Government Department • Using LSOF to analyze VMCORE • Using objdump to analyze dynamic symbols Copyright 2005 Seccuris Inc
    85. User Console Identification Temp Log Config File Shared Object File User Level Service Temp File Target File Log File ATTACK Program Kernel DETECTED! Interface Memory VMCORE File Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Temp Log Temp File Attacker File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
    86. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    87. Current trends to watch • Direct Kernel Hijack • Concurrency Exploits • Dynamic Firmware Attack • Virtualization Attacks Copyright 2005 Seccuris Inc
    88. Direct Kernel Hijack • Modifies live kernel instead of system calls • Injection of malicious kernel code through /d e v /me m or / d e v / k me m • This isn’t new, but gaining popularity again… • Tripwire, Execshied, PaX bypass standard in most kits • Most script kits do not require root for proper execution on Ubuntu, general Linux/BSD flavors • Better detection of NOP sleds allowing for higher chance of 1st time success Copyright 2005 Seccuris Inc
    89. Concurrency Exploits & Race Conditions • System call wrappers have been touted as the answer to system call hijack. • Concurrency exploits remove the effectiveness of wrappers in multi-process systems • More information • http://www.watson.org/~robert/2007woot/20070806- woot-concurrency.pdf Copyright 2005 Seccuris Inc
    90. Concurrency Exploits – Race Conditions Copyright 2005 Seccuris Inc
    91. Firmware Attack - Covert Channel • Hijack of interrupts through firmware exploitation • RAID / SATA drives increasingly vulnerable • Automated exploit though dynamic firmware update • Hide I/O errors, misreport write commands, reword strings being written to drive Copyright 2005 Seccuris Inc
    92. Virtualization Attacks • The Blue Pill hype (and anti-hype) • http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html • Reported to be 100% undetectable malware • On-the-fly installation of malware that “Traps & Emulates” the original OS • Timing, Memory & Hypervisor checks detect it… • As hardware moves towards virtualization support this will become a bigger concern Copyright 2005 Seccuris Inc
    93. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    94. Prevention Methods for the Real World • Psychological Changes • Be aware of this type of activity • Process Changes • Modify incident handling and forensic investigation processes to test for this type of activity • Architecture Changes • Static Linking (back to the future!) • Utilize trusted security architectures • Cryptographic Execution Policy (CheckSums) • Mandatory Access Control Frameworks • FreeBSD Trusted Execution Policy Copyright 2005 Seccuris Inc
    95. Prevention Methods for the Real World • Real world tools for detection available: • RootKit Hook Analyser • http://www.resplendence.com/hookanalyzer • RootkitRevealer (Windows NT4 – 2003+) • http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx • F-Secure BlackLight • http://www.f-secure.co.uk/blacklight/blacklight.html Copyright 2005 Seccuris Inc
    96. Prevention Methods for the Real World • Real world tools for prevention available: • Tripwire • http://www.tripwire.com/ • Third Brigage • http://www.thirdbrigade.com/ • Anti-Rootkit software • http://www.antirootkit.com/software/index.htm Copyright 2005 Seccuris Inc
    97. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
    98. Conclusions • Anti-forensic techniques in the digital realm are becoming more complex and harder to detect Copyright 2005 Seccuris Inc
    99. Conclusions • Transformation attacks can falsely maintain an investigator’s trust in a system preventing a proper investigation from occurring Copyright 2005 Seccuris Inc
    100. Conclusions • Awareness of anti-forensics and the techniques required for identification will enhance our ability to protect our organizations Copyright 2005 Seccuris Inc
    101. Thank-you Michael Legary Founder, Seccuris Inc. (204) 255-4490 Michael.Legary@Seccuris.com 1-866-644-8442 www.seccuris.com Copyright 2005 Seccuris Inc
    SlideShare Zeitgeist 2009

    + Michael LegaryMichael Legary Nominate

    custom

    378 views, 0 favs, 1 embeds more stats

    Reliance on forensic investigation of information s more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 378
      • 376 on SlideShare
      • 2 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 25
    Most viewed embeds
    • 2 views on http://jeeveshwarni.blogspot.com

    more

    All embeds
    • 2 views on http://jeeveshwarni.blogspot.com

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved