Digital inVESTigationsForensics and Audit Trails
About Me                              Marc HullegieMarc Hullegie is founder and CEO of Vest Information Security and iswid...
TALK OUTLINEBasicsPrinciplesAudit TrailsTimeline AnalysisChallenges               BIG Data                         Solid S...
INVESTIGATION BASICSWhy will people commit fraud / crime/’misbehavior’ / ….Fraud Triangle:• Opportunity – One has to be ab...
INVESTIGATION BASICSUnderstanding of the Fraud Triangle can behelpful for:• Formulating the investigation charter• Creatin...
TYPES OF DIGITAL INVESTIGATIONS   (due to the nature of the fraud / crime ..)• Against computersystems, e.g hacking, spam,...
CHARACTERISTICS OF GOOD EVIDENCE• Intact/integer• Relevant• Reproducable
KNOW YOUR STUFF !        REQUIRED SKILLS AND KNOWLEDGE- Technical skills        Understand what kind of evidence you are l...
BASICSBasic steps in a digital forensic investigation•   Preparation•   Acquisition of Evidence•   Duplication•   Extracti...
PREPARATION• Investigation Charter• Determine the scope and preconditions of the investigation• Determine potential locati...
ACQUISITION & PRESERVATION• NEVER conduct an investigation on original material• Acquire potential evidence following fore...
EXTRACTION• Compound files (Zip/rar/certain e-mail  archives) may need to be extracted in order to  be able to search the ...
UNALLOCATED CLUSTERS
CARVING UNALLOCATED CLUSTERS
ANALYSIS• Select tooling to conduct analysis• Many tools available, specific for each type of  investigation• Cross check ...
REPORTING•   Translate findings into a readable report•   Be transparent in describing your investigative    process•   An...
CHALLENGES IN DIGITAL FORENSICS• BIG data changes the way investigations will be conducted• Diversity of equipment used in...
TRENDS IN DIGITAL FORENSICS – TRIAGE• Screening of potential evidence instead of  creating a full disk image first, to eff...
TRENDS IN DIGITAL FORENSICS – TRIAGE - CONTPreviewing and searching potential evidencesaves a lot of time and storage.If a...
TRENDS IN DIGITAL FORENSICS – VISUALIZATION• Visualize BIG data to correlate events,  relationships, systems.• Profiling a...
AUDIT TRAILSIn a digital forensic context:‘Chronological presentation of actions andevents extracted from user or system g...
SYSTEM GENERATED EVIDENCE  Users have little understanding and awareness of presence of this kind of                      ...
USER CREATED EVIDENCESome examples:• Pictures• (Open) Office documents• Internet history• Chat services• E-mails
OTHER POTENTIAL EVIDENCECall registersAttendance registersSurveillance video’sEtc..Note: Mind regulations for privacy, pro...
AUDIT TRAILS COMBINEDCombining system generated, user generatedalong with additional information creates acomplete audit t...
FORENSIC READINESS•   Be prepared for incidents, they WILL happen•   Compliancy•   Prevention•   Early Warnings•   Limit “...
CASE‘Did speaker participate in OWASP Belenux 2012conference’
CASE – CONTPotential evidence:• Laptop speaker• Network/server logs• Smartphone• Call registers
CASE – CONTHard disk evidence• Keyword search• System file analysis
CASE – CONTHits• Unallocated clusters (system generated)
CASE – CONTHits• Pagefile (System generated)
CASE – CONTHits• NTUSER.DAT
CASE – CONTHits• Network data – firewall logs
CASE – CONTHits• E-mailmessages• Message tracking logs• Etc etc
HOW CAN WEB DEVELOPERS HELP SUPPORT             FORENSIC READINESS• Webserver : Logs• Application server/ Middleware: Logs...
HOW CAN WEB DEVELOPERS HELP SUPPORT             FORENSIC READINESS• Applications:    What have YOU instructed the     appl...
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC                           READINESS• The application “Knows and Sees” a lot !...
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC                   READINESS• Where ?   – (Additional) Log files   – (system) ...
HOW CAN WEB DEVELOPERS HELP SUPPORT          FORENSIC READINESS – CONT• Add monitoring, triggering mechanisms to  your (fo...
HOW CAN WEB DEVELOPERS HELP SUPPORT           FORENSIC READINESS• Non-repudiation:Perform security tests so that fraudulen...
HOW CAN WEB DEVELOPERS HELP SUPPORT       FORENSIC READINESS - CONT• And don’t forget the traditional forensic  sources:• ...
CONCLUSION• All activity as shown on screen has potential to be  recovered• New technologies change the forensic landscape...
And then what ?•   Do not forget about “traditional” forensics•   Adjust NOW to the changing landscape !•   OWASP has a Fo...
Thank youFor any intermediate questions and suggestions:   – marc@vest.nl (Marc Hullegie)   – kees@vest.nl (Kees Mastwijk)...
Upcoming SlideShare
Loading in …5
×

Vest Forensics presentation owasp benelux days 2012 leuven

477 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Vest Forensics presentation owasp benelux days 2012 leuven

  1. 1. Digital inVESTigationsForensics and Audit Trails
  2. 2. About Me Marc HullegieMarc Hullegie is founder and CEO of Vest Information Security and iswidely experienced in the information security business in all types ofareas: Security Architecture and Infrastructure, Security Audits andTesting, Security Management, Awareness and Digital Forensics. Hepresents lectures at (international) conferences and is looking forwardto share experiences at the OWASP Benelux days 2012 with you. Kees MastwijkKees Mastwijk is a security consultant working with Vest, acting asSecurity Auditor, Awareness Program leader and security Manager. Hehas a long (and ongoing) experience history in Digital ForensicResearch.
  3. 3. TALK OUTLINEBasicsPrinciplesAudit TrailsTimeline AnalysisChallenges BIG Data Solid State Drives Cloud Computing Changing forensic landscapeTrends Triage VisualizationAnd then What ?
  4. 4. INVESTIGATION BASICSWhy will people commit fraud / crime/’misbehavior’ / ….Fraud Triangle:• Opportunity – One has to be able to commit fraud• Motive – There is a ‘drive’ to commit fraud• Rationalization – Actions will be justified
  5. 5. INVESTIGATION BASICSUnderstanding of the Fraud Triangle can behelpful for:• Formulating the investigation charter• Creating scenarios• Applicable for fraud & forensic investigations and securitytesting
  6. 6. TYPES OF DIGITAL INVESTIGATIONS (due to the nature of the fraud / crime ..)• Against computersystems, e.g hacking, spam,• Where computersystems are used to commit fraud, stalking, harrassment
  7. 7. CHARACTERISTICS OF GOOD EVIDENCE• Intact/integer• Relevant• Reproducable
  8. 8. KNOW YOUR STUFF ! REQUIRED SKILLS AND KNOWLEDGE- Technical skills Understand what kind of evidence you are looking for,&- Investigative skills Being able to understand the value of the evidence in the case and translate highly technical findings to easy to understand report, being able to spot abnormalities- While maintaining the ‘chain of custody’
  9. 9. BASICSBasic steps in a digital forensic investigation• Preparation• Acquisition of Evidence• Duplication• Extraction• Analysis• Reporting
  10. 10. PREPARATION• Investigation Charter• Determine the scope and preconditions of the investigation• Determine potential locations of relevant evidence by means of type of investigation: - Network - Data carriers like hard disk drives, smartphones, USB drives etc - Memory - Etc.. Etc..• Expectation Management / (Communication)• Create investigation Log (and maintain during the proces)
  11. 11. ACQUISITION & PRESERVATION• NEVER conduct an investigation on original material• Acquire potential evidence following forensically sound procedures, tools and hardware• Use write-protected hardware and software that ensures the integrity of the copy• Duplicate the acquired evidence files to a secured back-up location• Note System config settings, especially time related
  12. 12. EXTRACTION• Compound files (Zip/rar/certain e-mail archives) may need to be extracted in order to be able to search the files.• Transform data into usable investigation objects• Disk images contain potential ‘hidden’ evidence in file slack, unallocated clusters etc
  13. 13. UNALLOCATED CLUSTERS
  14. 14. CARVING UNALLOCATED CLUSTERS
  15. 15. ANALYSIS• Select tooling to conduct analysis• Many tools available, specific for each type of investigation• Cross check and verify your findings. Do not rely on the results of one tool• Keep in mind the questions to be answered in the investigation or you will get lost
  16. 16. REPORTING• Translate findings into a readable report• Be transparent in describing your investigative process• Answer the ‘W’ and ‘H’ questions: Who did What, When, Where, When, Why and How• Do not jump to conclusions! Be aware of tunnel visioning
  17. 17. CHALLENGES IN DIGITAL FORENSICS• BIG data changes the way investigations will be conducted• Diversity of equipment used in today’s communications• Solid State Disks (SSD) reduces the likelihood of retrieving good evidence (if deleted previously)• Unclear where your data is: e.g. Cloud Computing changes potential source locations• Virtual Desktop Infrastructures• Compliancy rules limiting access to public records
  18. 18. TRENDS IN DIGITAL FORENSICS – TRIAGE• Screening of potential evidence instead of creating a full disk image first, to efficiently and cost effective conduct digital investigations. Average storage in a system has increased substantially.
  19. 19. TRENDS IN DIGITAL FORENSICS – TRIAGE - CONTPreviewing and searching potential evidencesaves a lot of time and storage.If a triaged systems contain sources of evidence,create a full disk image.
  20. 20. TRENDS IN DIGITAL FORENSICS – VISUALIZATION• Visualize BIG data to correlate events, relationships, systems.• Profiling applications
  21. 21. AUDIT TRAILSIn a digital forensic context:‘Chronological presentation of actions andevents extracted from user or system generatedinformation’
  22. 22. SYSTEM GENERATED EVIDENCE Users have little understanding and awareness of presence of this kind of evidence!Some examples• NTUSER.DAT• Webserver logs• Index.dat files• Printspooler logs• E-mail headers• Registry files• Temp/tmp folders• Etc..
  23. 23. USER CREATED EVIDENCESome examples:• Pictures• (Open) Office documents• Internet history• Chat services• E-mails
  24. 24. OTHER POTENTIAL EVIDENCECall registersAttendance registersSurveillance video’sEtc..Note: Mind regulations for privacy, proportionalityand subsidiarity
  25. 25. AUDIT TRAILS COMBINEDCombining system generated, user generatedalong with additional information creates acomplete audit trailInterrelate and correlate, minding propersynchronization and unique identifiers(don’t assume) (user williamsj does not have tobe John Williams)
  26. 26. FORENSIC READINESS• Be prepared for incidents, they WILL happen• Compliancy• Prevention• Early Warnings• Limit “damage”• Reduction of investigation cost/time• Effectiveness in sanction (HR/Legal/IT)
  27. 27. CASE‘Did speaker participate in OWASP Belenux 2012conference’
  28. 28. CASE – CONTPotential evidence:• Laptop speaker• Network/server logs• Smartphone• Call registers
  29. 29. CASE – CONTHard disk evidence• Keyword search• System file analysis
  30. 30. CASE – CONTHits• Unallocated clusters (system generated)
  31. 31. CASE – CONTHits• Pagefile (System generated)
  32. 32. CASE – CONTHits• NTUSER.DAT
  33. 33. CASE – CONTHits• Network data – firewall logs
  34. 34. CASE – CONTHits• E-mailmessages• Message tracking logs• Etc etc
  35. 35. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS• Webserver : Logs• Application server/ Middleware: Logs• Database server: Logs, system tables, memory• Do not limit logfiles: verbose, and no overwrites
  36. 36. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS• Applications: What have YOU instructed the application to log / record ?
  37. 37. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS• The application “Knows and Sees” a lot !• CAPTURE THAT DATA:• Facilitate detailed logging for the purpose of audit trails: Who - e.g. Useraccount What - (sequence of) Activity When - Date/time stamps Where - IP-address, geo info, endpoint characteristics How - Application navigation behaviorAs much and detailed as possible !Look across bridges, as far as you can see to both ends.
  38. 38. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS• Where ? – (Additional) Log files – (system) Event log – Database !• Mind: – Location and size – Access, Authorization … – Performance• Forensic principals to be included in your design !
  39. 39. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS – CONT• Add monitoring, triggering mechanisms to your (forensic) logging to enhance the traceability with early warning and even prevention advantages.• It might also support your regular system debugging ;-)
  40. 40. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS• Non-repudiation:Perform security tests so that fraudulent peoplecannot dispute their acts and the operation ofyour application.(They will tell your application environment sucks!) Proof they’re wrong !
  41. 41. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS - CONT• And don’t forget the traditional forensic sources:• Not only application logs contain relevant information• Consider logs of servers, network peripherals, workstations, syslogs
  42. 42. CONCLUSION• All activity as shown on screen has potential to be recovered• New technologies change the forensic landscape as well• Be prepared for incidents and know how to handle while preserving potential evidence• Be Forensic Ready! Be pro-active !
  43. 43. And then what ?• Do not forget about “traditional” forensics• Adjust NOW to the changing landscape !• OWASP has a Forensic project opened in Aug• Let’s ALL contribute: – We will ALL provide our knowledge and questions – List of tools – Facts about current forensic techniques (detailed techstuff) – Your environments and challenges – Compose a Forensics Ready (Secure) Application framework – Create new tools ?
  44. 44. Thank youFor any intermediate questions and suggestions: – marc@vest.nl (Marc Hullegie) – kees@vest.nl (Kees Mastwijk) www.vest.nlSee you all at the “OWASP Forensic Guide Project” http://owasp.org/index.php/owasp_forensic_guide_project

×