Usage Aspects Techniques For
Enterprise Forensics Data Analytics
Tools
Damir Delija
damir.delija@insig2.eu
"Nove sigurnosn...
Idea
• How to analyze data in internal database and
data repositories of forensic tool trough
external data analytics tool...
To explore situation
• To try what can be collected from commercial
forensic tools
– Encase v7, ftk as forensic tools
– In...
Evolution Of Enterprise Forensics
Capabilities
disk images Forensic image of remote physical or logical disks, acquired an...
Forensic tools example: EnCase v7
• Encase v7
– store data in cahces files and evidence file
• cache processed data – usua...
Forensics Components
Encase Enterprise approach
WAN
Main Office B
Branch Office
Target Node Target Node Target Node
Main O...
Encase enterprise sweep
• collect live snapshot data from all machines in
enterprise
– on each machine forensic agent (ser...
Simple Network Incident Scenario
step tasks
Snapshot 1 Forensics snapshot: of suspected machines involved in incident
Anal...
Example
•set of sweeps and related sqlite db file
•Sweep.sqlite all sweep data in one file
Explanation of data
• for each sweep (set of machines snapshots)
– some data are undocumented
– set of machines snapshots ...
Data in sweep.sqlite- set of snapshots
Snapshot data
• info about snapshots
Ip data
• information about IP related data in snapshot
• data in native format (hex etc)
Process data
• all data about process as one big view
• easy to spot irregularities
Example svchost.exe
– often infected t...
Example process
svchost.exe on all machines in sweep db
EnCase v7 sweep view
• trough EnCase program
• trough case analyzer – browser / reporter
• very rough interface
• no globa...
EnCase view of sweep data
EnCase snapshot & disk view
Encase data browser – Case analyzer
Enscript
Case analyzer report view
Encase – in program view on data
INsig2 – Integrirana sigurnost
Example of integration
Other enterprise sec. tools
­ Automated Incident Response Suite auto...
Conclusion
• useful but need a lot of expertise in all used
tools to get data out and compare really
important data
• lack...
Related tools & ideas
• Nuix http://www.nuix.com/
• other data mining / data analyses tool
• In last year a lot of vendor ...
Questions ?
• damir.delija@inisg2.eu
Upcoming SlideShare
Loading in …5
×

Usage aspects techniques for enterprise forensics data analytics tools

1,950 views

Published on

Enacse v7 Entreprise sweep data access trough Infozoom

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,950
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Usage aspects techniques for enterprise forensics data analytics tools

  1. 1. Usage Aspects Techniques For Enterprise Forensics Data Analytics Tools Damir Delija damir.delija@insig2.eu "Nove sigurnosne ugroze i kritična nacionalna infrastruktura“ Zagreb, 12-13.09.2013
  2. 2. Idea • How to analyze data in internal database and data repositories of forensic tool trough external data analytics tools • Or generalization – access to hidden data in the forensic tools, especially enterprise class forensic tools – (this is not a new problem, something very similar happened in network management ages ago )
  3. 3. To explore situation • To try what can be collected from commercial forensic tools – Encase v7, ftk as forensic tools – Infozoom as data presentation and analyses tool • also some open source add-ons
  4. 4. Evolution Of Enterprise Forensics Capabilities disk images Forensic image of remote physical or logical disks, acquired and preserved on forensics workstation memory images Forensic image of whole RAM of remote node and memory images of processes, acquired and preserved on forensics workstation snapshot data Presenting current structure of users, processes, dll, open files, network information (ARP table, DNS table, routing table) • Each step brings huge amount of data and metadata into forensic tool • this data is not worthless even if it is not directly related to first line of examination
  5. 5. Forensic tools example: EnCase v7 • Encase v7 – store data in cahces files and evidence file • cache processed data – usually sqlite • evidence original data – Other forensic tools store data in db or various files (ftk, xways, ufed ...) – data is there, what you can see is what forensic tool allows you • or a huge effort to do a workaround to access data
  6. 6. Forensics Components Encase Enterprise approach WAN Main Office B Branch Office Target Node Target Node Target Node Main Office A Target Node Target Node Target Node SAFE Target Node Target Node Target Node SAFE Examiner Company Headquarters Examiner Target Node Target Node Target Node SAFE Target Node
  7. 7. Encase enterprise sweep • collect live snapshot data from all machines in enterprise – on each machine forensic agent (servlet) installed • data goes into sqlite db file on examiner machine • gui and interface in EnCase is harsh and unhelpful for data extraction / analyses • access to data from Encase – use data browser or write Enscript program
  8. 8. Simple Network Incident Scenario step tasks Snapshot 1 Forensics snapshot: of suspected machines involved in incident Analyeses internal 2 Snapshot: analyses in forensic tool, export data to other related tools for fine analyses, External analyses 3 Analyses: based on data properties (not intrinsically forensic values) with external tools, data is available to non-forensic tools (export, database connection etc). action or redoing snapshot 4 Analyses: results from step 3 goes back into forensic tool as a list of suspicious processes, further forensics analyses is carried out (hash analyses, entropy etc) •for any data consolidation it helps if there is additional view into data available •this view is problem dependent and very often fuzzy, requires data export into something else (excell very often) or sql database
  9. 9. Example •set of sweeps and related sqlite db file •Sweep.sqlite all sweep data in one file
  10. 10. Explanation of data • for each sweep (set of machines snapshots) – some data are undocumented – set of machines snapshots contains in various tables • machine data • users, groups • network data (ip, route, arp, mac ..) • dll and its attributes – instances of dll, ownership, size, hash, loads • processes and it attributes – instances of process, ownership, size, hash .. – no disk info (another method of access)
  11. 11. Data in sweep.sqlite- set of snapshots
  12. 12. Snapshot data • info about snapshots
  13. 13. Ip data • information about IP related data in snapshot • data in native format (hex etc)
  14. 14. Process data • all data about process as one big view • easy to spot irregularities Example svchost.exe – often infected trough dll injection
  15. 15. Example process svchost.exe on all machines in sweep db
  16. 16. EnCase v7 sweep view • trough EnCase program • trough case analyzer – browser / reporter • very rough interface • no global view
  17. 17. EnCase view of sweep data
  18. 18. EnCase snapshot & disk view
  19. 19. Encase data browser – Case analyzer Enscript
  20. 20. Case analyzer report view
  21. 21. Encase – in program view on data
  22. 22. INsig2 – Integrirana sigurnost Example of integration Other enterprise sec. tools ­ Automated Incident Response Suite automates the task of manually filtering through alert data via the IDS/SIM/CMS interface • selects alerts of interest • performs an investigation trough snapshot • same idea for data analyses as for plain Encase Enterprise • additional sources: log collector, SIEM, other forensic tools
  23. 23. Conclusion • useful but need a lot of expertise in all used tools to get data out and compare really important data • lack of standardization • xml useful • for a real time incidents to much work on tool instead on task • mobile devices puts a whole new dimension in this problem
  24. 24. Related tools & ideas • Nuix http://www.nuix.com/ • other data mining / data analyses tool • In last year a lot of vendor specific tools as part of packages are coming to market mostly for timeline analyses and connection analyses, but again lack flexibility
  25. 25. Questions ? • damir.delija@inisg2.eu

×