SlideShare a Scribd company logo

Memory forensics and incident response

London School of Cyber Security
London School of Cyber Security
Technology
1 of 32
Download to read offline
Memory Forensics and Incident Response Robert Reed
Frequently when we think of CyberCrime external intrusions immediately comes to mind, but we should remember that “insiders” represent a significant threat to organizations. Between 46 and 58 percent of the incidents resulting in the largest losses to organizations were “inside jobs.” This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier. Intrusions Insiders Outsiders Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
42% 40% 39% 12% 8% 6% 5% 4% 11% 20% 0% 10% 20% 30% 40% 50% Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law… Unaware crime was reportable Other Don't know Reason not Prosecuted Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law enforcement Unaware crime was reportable Other In “insider” incidents, 40 percent of the time those responsible are never identified, or insufficient evidence was obtained for prosecution. This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier 2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
Why are so many incidents not producing sufficient information for prosecutions? To some degree this makes sense when we dig deeper into the numbers, 61 percent businesses suffering from CyberCrime indicated that “they don’t have, or are not aware of having, access to forensic technology investigators.” 61 60 46 0 20 40 60 80 Not Aware of access to forensic investigators No in-house forensics No forensic IR proceedures Business Forensic capabilities Forensic Capabilities Global Economic Crime Survey 2011, PriceWaterhouse Cooper
Objectives of incident response: • Collect as much evidence as possible • Minimize or eliminate changes made to evidentiary information • Maintain the integrity of the investigation • Minimize the disruption to business processes • Obtain a successful outcome
Striking a balance • Do we need to do a forensic examination? – Is there a statutory requirement to report? – Is there potential liability for not investigating? – Is there a broader objective in the investigation? – Is it fiscally responsible?
Typical Incident life cycle • Identify incident • Establish approach • Collect evidence • Analyze evidence • Document and report • Assess and follow-up
Traditional Computer Forensic Response • Secure location • Document the scene • Pull the plug • Collect evidence • Image the media • Analysis • Reporting
Pro’s of the Approach • Acceptable for most of the cases LE is presented with • Easy to validate the information for court purposes • Easy to establish and validate SOP’s
Con’s to Traditional Approach • Increasing drive capacities • Increased security awareness – Encryption – Passwords – “Personal Privacy” Software • Business Continuity • Misses /Destroys vital information in RAM
Better Approach • Secure location • Photograph and document scene • Collect volatile data • Isolate from network?? • Bring the machine down or live image?? • Bit stream image • Analysis • Reporting
Order of volatility 1. CPU cache and Register 2. ARP cache, Routing and Process tables 3. RAM 4. Temp file systems, Swap and page files 5. Fixed and removable media attached 6. Remotely logged data 7. Archives
Collection of volatile data Tool/s Utilities OSHardware Results
Concerns • Reliability of local tools • Root kits • Integrity of evidence – Authenticity – Integrity • Chains of custody • Security
Collection of Volatile data • cmd • tasklist • netstat • arp • Route • Net commands • etc * The problem with using native commands is that we can not trust their results*
Collection of volatile data Tool/s Utilities OSHardware Results
Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
External tools • cmd ?? *are you bringing your own command console?* • Sysinternals: http://technet.microsoft.com/en-us/sysinternals/default • Nirsoft: http://www.nirsoft.net/ • Foundstone: http://www.mcafee.com/us/downloads/free-tools/index.aspx • WFT: http://www.foolmoon.net/security/wft/ • Tons of others out there
Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace API
Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
RAM / Image Analysis tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
Imaging and Analysis Tools • Win32/64 dd • Dumpit • Man dd • FTK Imager • Belkasoft • Volatility • Memoryze • Redline • HBGary Responder • Encase • Etc….
Imaging and Analysis Tools • Challenges – Varied Implementations – Anti-Forensics programs and techniques
Direct Memory Access tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
http://www.breaknenter.org/projects/inception/ “Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.”
“Goldfish was a project by Afrah Almansoori, Pavel Gladyshev, and Joshua James aimed at the extraction of user password and fragments of AIM instant messenger conversations directly from RAM of Apple Mac computers. Goldfish software can be used against 32 bit versions of Mac OS X up to and including Mac OS X (10.5) Leopard.” http://digitalfire.ucd.ie/?page_id=430
Direct Memory Access • Advantages – Bypass passwords to gain access – Recover passwords (keyboard buffers) – Evade current anti-forensics techniques
Direct Memory Access • Challenges – Hardware dependent! – Physical access! – Disabled drivers? – 4GB of accessible space! 0>ffffffff
Direct Memory Access • Mitigation – Windows • Block SBP-2 drivers: http://support.microsoft.com/kb/2516445 • Remove FireWire and thunderbolt drivers
Direct Memory Access • Mitigation – Macs • Filevault2 (OS X Lion) and screen locked • Firmware password
Direct Memory Access • Mitigation – Linux • Disable DMA • Remove FireWire drivers
Questions ??

Recommended

Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Malware Analysis
Malware Analysis Malware Analysis
Malware Analysis MichaelRodriguesdosS1
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 

Recommended

Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Malware Analysis
Malware Analysis Malware Analysis
Malware Analysis MichaelRodriguesdosS1
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)phexcom1
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye SolutionsPrime Infoserv
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisPrashant Gupta
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_yskysk256
 

More Related Content

What's hot

Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)phexcom1
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 

What's hot (20)

Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Information security
Information securityInformation security
Information security
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye Solutions
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Incident response
Incident responseIncident response
Incident response
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 

Viewers also liked

Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_yskysk256
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' ToolsIsrael Umana
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会sonickun
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptotrmr
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 

Viewers also liked (13)

Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_ysk
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' Tools
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Crypto
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 

Similar to Memory forensics and incident response

Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Logs in Security and Compliance flare
Logs in Security and Compliance flareLogs in Security and Compliance flare
Logs in Security and Compliance flarezilberberg
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 

Similar to Memory forensics and incident response (20)

Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Logs in Security and Compliance flare
Logs in Security and Compliance flareLogs in Security and Compliance flare
Logs in Security and Compliance flare
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 

More from London School of Cyber Security

How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?London School of Cyber Security
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsLondon School of Cyber Security
 

More from London School of Cyber Security (20)

The Panama Papers Hack
The Panama Papers HackThe Panama Papers Hack
The Panama Papers Hack
 
ISIS and Cyber Terrorism
ISIS and Cyber TerrorismISIS and Cyber Terrorism
ISIS and Cyber Terrorism
 
Silk Road & Online Narcotic Distribution
Silk Road & Online Narcotic DistributionSilk Road & Online Narcotic Distribution
Silk Road & Online Narcotic Distribution
 
Ashely Madison Hack
Ashely Madison HackAshely Madison Hack
Ashely Madison Hack
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Building an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence ProgramBuilding an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence Program
 
Crowdsourced Vulnerability Testing
Crowdsourced Vulnerability TestingCrowdsourced Vulnerability Testing
Crowdsourced Vulnerability Testing
 
Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?
 
Sploitego
SploitegoSploitego
Sploitego
 
Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Research
 
Blind XSS
Blind XSSBlind XSS
Blind XSS
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
 
Sploitego
SploitegoSploitego
Sploitego
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Memory forensics and incident response

  • 1. Memory Forensics and Incident Response Robert Reed
  • 2. Frequently when we think of CyberCrime external intrusions immediately comes to mind, but we should remember that “insiders” represent a significant threat to organizations. Between 46 and 58 percent of the incidents resulting in the largest losses to organizations were “inside jobs.” This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier. Intrusions Insiders Outsiders Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
  • 3. 42% 40% 39% 12% 8% 6% 5% 4% 11% 20% 0% 10% 20% 30% 40% 50% Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law… Unaware crime was reportable Other Don't know Reason not Prosecuted Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law enforcement Unaware crime was reportable Other In “insider” incidents, 40 percent of the time those responsible are never identified, or insufficient evidence was obtained for prosecution. This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier 2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
  • 4. Why are so many incidents not producing sufficient information for prosecutions? To some degree this makes sense when we dig deeper into the numbers, 61 percent businesses suffering from CyberCrime indicated that “they don’t have, or are not aware of having, access to forensic technology investigators.” 61 60 46 0 20 40 60 80 Not Aware of access to forensic investigators No in-house forensics No forensic IR proceedures Business Forensic capabilities Forensic Capabilities Global Economic Crime Survey 2011, PriceWaterhouse Cooper
  • 5. Objectives of incident response: • Collect as much evidence as possible • Minimize or eliminate changes made to evidentiary information • Maintain the integrity of the investigation • Minimize the disruption to business processes • Obtain a successful outcome
  • 6. Striking a balance • Do we need to do a forensic examination? – Is there a statutory requirement to report? – Is there potential liability for not investigating? – Is there a broader objective in the investigation? – Is it fiscally responsible?
  • 7. Typical Incident life cycle • Identify incident • Establish approach • Collect evidence • Analyze evidence • Document and report • Assess and follow-up
  • 8. Traditional Computer Forensic Response • Secure location • Document the scene • Pull the plug • Collect evidence • Image the media • Analysis • Reporting
  • 9. Pro’s of the Approach • Acceptable for most of the cases LE is presented with • Easy to validate the information for court purposes • Easy to establish and validate SOP’s
  • 10. Con’s to Traditional Approach • Increasing drive capacities • Increased security awareness – Encryption – Passwords – “Personal Privacy” Software • Business Continuity • Misses /Destroys vital information in RAM
  • 11. Better Approach • Secure location • Photograph and document scene • Collect volatile data • Isolate from network?? • Bring the machine down or live image?? • Bit stream image • Analysis • Reporting
  • 12. Order of volatility 1. CPU cache and Register 2. ARP cache, Routing and Process tables 3. RAM 4. Temp file systems, Swap and page files 5. Fixed and removable media attached 6. Remotely logged data 7. Archives
  • 13. Collection of volatile data Tool/s Utilities OSHardware Results
  • 14. Concerns • Reliability of local tools • Root kits • Integrity of evidence – Authenticity – Integrity • Chains of custody • Security
  • 15. Collection of Volatile data • cmd • tasklist • netstat • arp • Route • Net commands • etc * The problem with using native commands is that we can not trust their results*
  • 16. Collection of volatile data Tool/s Utilities OSHardware Results
  • 17. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
  • 18. External tools • cmd ?? *are you bringing your own command console?* • Sysinternals: http://technet.microsoft.com/en-us/sysinternals/default • Nirsoft: http://www.nirsoft.net/ • Foundstone: http://www.mcafee.com/us/downloads/free-tools/index.aspx • WFT: http://www.foolmoon.net/security/wft/ • Tons of others out there
  • 19. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace API
  • 20. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
  • 21. RAM / Image Analysis tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
  • 22. Imaging and Analysis Tools • Win32/64 dd • Dumpit • Man dd • FTK Imager • Belkasoft • Volatility • Memoryze • Redline • HBGary Responder • Encase • Etc….
  • 23. Imaging and Analysis Tools • Challenges – Varied Implementations – Anti-Forensics programs and techniques
  • 25. http://www.breaknenter.org/projects/inception/ “Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.”
  • 26. “Goldfish was a project by Afrah Almansoori, Pavel Gladyshev, and Joshua James aimed at the extraction of user password and fragments of AIM instant messenger conversations directly from RAM of Apple Mac computers. Goldfish software can be used against 32 bit versions of Mac OS X up to and including Mac OS X (10.5) Leopard.” http://digitalfire.ucd.ie/?page_id=430
  • 27. Direct Memory Access • Advantages – Bypass passwords to gain access – Recover passwords (keyboard buffers) – Evade current anti-forensics techniques
  • 28. Direct Memory Access • Challenges – Hardware dependent! – Physical access! – Disabled drivers? – 4GB of accessible space! 0>ffffffff
  • 29. Direct Memory Access • Mitigation – Windows • Block SBP-2 drivers: http://support.microsoft.com/kb/2516445 • Remove FireWire and thunderbolt drivers
  • 30. Direct Memory Access • Mitigation – Macs • Filevault2 (OS X Lion) and screen locked • Firmware password
  • 31. Direct Memory Access • Mitigation – Linux • Disable DMA • Remove FireWire drivers