2. Frequently when we think of
CyberCrime external intrusions
immediately comes to mind, but we
should remember that “insiders”
represent a significant threat to
organizations. Between 46 and 58
percent of the incidents resulting in the
largest losses to organizations were
“inside jobs.” This is particularly
troubling because in these incidents the
likely hood of identification of offenders
and potential recovery of assets should
be easier.
Intrusions
Insiders
Outsiders
Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
3. 42%
40%
39%
12%
8%
6%
5%
4%
11%
20%
0% 10% 20% 30% 40% 50%
Damage level
insufficient
Could not identify the
individual
Lack of evidence
negative publicity
Concerns about liability
competitors use for
advantage
Prior negative
response law…
Unaware crime was
reportable
Other
Don't know
Reason not Prosecuted
Damage level insufficient
Could not identify the
individual
Lack of evidence
negative publicity
Concerns about liability
competitors use for
advantage
Prior negative response
law enforcement
Unaware crime was
reportable
Other
In “insider” incidents, 40
percent of the time those
responsible are never
identified, or insufficient
evidence was obtained for
prosecution. This is
particularly troubling because
in these incidents the likely
hood of identification of
offenders and potential
recovery of assets should be
easier
2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte,
January 2011.
4. Why are so many incidents not producing sufficient information
for prosecutions? To some degree this makes sense when we dig
deeper into the numbers, 61 percent businesses suffering from
CyberCrime indicated that “they don’t have, or are not aware of
having, access to forensic technology investigators.”
61
60
46
0 20 40 60 80
Not Aware of access to
forensic investigators
No in-house forensics
No forensic IR
proceedures
Business Forensic capabilities
Forensic Capabilities
Global Economic Crime Survey 2011, PriceWaterhouse Cooper
5. Objectives of incident response:
• Collect as much evidence as possible
• Minimize or eliminate changes made to
evidentiary information
• Maintain the integrity of the investigation
• Minimize the disruption to business processes
• Obtain a successful outcome
6. Striking a balance
• Do we need to do a forensic examination?
– Is there a statutory requirement to report?
– Is there potential liability for not investigating?
– Is there a broader objective in the investigation?
– Is it fiscally responsible?
7. Typical Incident life cycle
• Identify incident
• Establish approach
• Collect evidence
• Analyze evidence
• Document and report
• Assess and follow-up
8. Traditional Computer Forensic Response
• Secure location
• Document the scene
• Pull the plug
• Collect evidence
• Image the media
• Analysis
• Reporting
9. Pro’s of the Approach
• Acceptable for most of the cases LE is
presented with
• Easy to validate the information for court
purposes
• Easy to establish and validate SOP’s
10. Con’s to Traditional Approach
• Increasing drive capacities
• Increased security
awareness
– Encryption
– Passwords
– “Personal Privacy” Software
• Business Continuity
• Misses /Destroys vital
information in RAM
11. Better Approach
• Secure location
• Photograph and document scene
• Collect volatile data
• Isolate from network??
• Bring the machine down or live image??
• Bit stream image
• Analysis
• Reporting
12. Order of volatility
1. CPU cache and Register
2. ARP cache, Routing and Process tables
3. RAM
4. Temp file systems, Swap and page files
5. Fixed and removable media attached
6. Remotely logged data
7. Archives
14. Concerns
• Reliability of local tools
• Root kits
• Integrity of evidence
– Authenticity
– Integrity
• Chains of custody
• Security
15. Collection of Volatile data
• cmd
• tasklist
• netstat
• arp
• Route
• Net commands
• etc
* The problem with using native commands is that we can not trust their results*
25. http://www.breaknenter.org/projects/inception/
“Inception is a FireWire
physical memory
manipulation and hacking
tool exploiting IEEE 1394
SBP-2 DMA. The tool can
unlock (any password
accepted) and escalate
privileges to
Administrator/root on
almost* any powered on
machine you have physical
access to. The tool can
attack over FireWire,
Thunderbolt, ExpressCard,
PC Card and any other
PCI/PCIe interfaces.”
26. “Goldfish was a project by Afrah
Almansoori, Pavel Gladyshev, and Joshua
James aimed at the extraction of user
password and fragments of AIM instant
messenger conversations directly from
RAM of Apple Mac computers. Goldfish
software can be used against 32 bit
versions of Mac OS X up to and including
Mac OS X (10.5) Leopard.”
http://digitalfire.ucd.ie/?page_id=430
27. Direct Memory Access
• Advantages
– Bypass passwords to gain access
– Recover passwords (keyboard buffers)
– Evade current anti-forensics techniques