Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

INTRODUCTION TO CYBER FORENSICS

303 views

Published on

Looking at the different steps involved in Cyber Forensics and an overall framework

Published in: Technology
  • Be the first to comment

  • Be the first to like this

INTRODUCTION TO CYBER FORENSICS

  1. 1. {elysiumsecurity} INTRODUCTION TO CYBER FORENSICS Version: 1.3a Date: 04/07/2018 Author: Sylvain Martinez Reference: ESC6-MUSCL Classification: Public cyber protection & response
  2. 2. {elysiumsecurity} cyber protection & response 2 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT • Core Principles; • Client Database Leak Investigation. CONTENTS Public • Definitions • Cyber Attacks and M alware trends; • GDPR Requirem ents; • Overview; • Goals; • Actions; • Activity Scope;
  3. 3. {elysiumsecurity} cyber protection & response 3 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT DEFINITIONS Public FOREENSIC SCIENCE THE APPLICATION OF SCIENCE TO CRIMINAL AND CIVIL LAWS, DURING CRIMINAL INVESTIGATION, AS GOVERNED BY THE LEGAL STANDARDS OF ADMISSIBLE EVIDENCE AND CRIMINAL PROCEDURE. Definitions from Wikipedia DIGITAL FORENSICS A BRANCH OF FORENSIC SCIENCE ENCOMPASSING THE RECOVERY AND INVESTIGATION OF MATERIAL FOUND IN DIGITAL DEVICES, OFTEN IN RELATION TO COMPUTER CRIME CYBER/COMPUTER FORENSICS A BRANCH OF DIGITAL FORENSIC SCIENCE, THE APPLICATION OF INVESTIGATION AND ANALYSIS TECHNIQUES TO GATHER AND PRESERVE EVIDENCE FROM A PARTICULAR COMPUTING DEVICE IN A WAY THAT IS SUITABLE FOR PRESENTATION IN A COURT OF LAW
  4. 4. {elysiumsecurity} cyber protection & response 4 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT CYBER ATTACKS AND MALWARE TRENDS Public Source: AV-TEST
  5. 5. {elysiumsecurity} cyber protection & response 5 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT GDPR REQUIREMENTS Public ARTICLE 33 72H REPORTING NATURE OF THE BREACH? (WHO? WHERE? HOW?) POTENTIAL IMPACT? WHAT HAS BEEN DONE TO PREVENT THE BREACH? (CONTROLS? PROCESSES?) Icons from the Noun Project unless specified otherwise
  6. 6. {elysiumsecurity} cyber protection & response 6 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT CORE PRINCIPLES Public PRESERVATION OF INTEGRITY CHAIN OF CUSTODY ONLINE/OFFLINE ? NEVER FORGET THE « S »!! ACTIVITY GOALS
  7. 7. {elysiumsecurity} cyber protection & response 7 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT OVERVIEW Public CONTEXT LOGS FILESYSTEM CONFIG NETWORK MEMORY ADVANCED ACTIVITY SCOPE ACQUISITION ANALYSIS REPORTINGACTIONS GOALS IDENTIFICATION Impact/Target/Technique ATTRIBUTION Source of Attack COLLECTION Evidence of compromise Copyright ELYSIUMSECURITY LTD, please refer to us if reusing this diagram: https://www.elysiumsecurity.com
  8. 8. {elysiumsecurity} cyber protection & response 8 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT GOALS Public IDENTIFICATION Impact/Target/Technique ATTRIBUTION Source of Attack COLLECTION Evidence of compromise WHAT? WAS COMPROMISED? WAS STOLEN/MODIFIED? WHERE? THE CONTROLS FAILED? THE DATA WENT? HOW? THEY HACKED? WAS IT STOPPED? WHY? THEY TARGETED YOU? WAS IT SUCCESSFUL? WHO? WAS TARGETED? WAS RESPONSIBLE?
  9. 9. {elysiumsecurity} cyber protection & response 9 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIONS Public ACQUISITION REPORTING ANALYSIS IDENTIFICATION OF EVIDENCE PRESERVATION OF EVIDENCE COLLECTION OF EVIDENCE ANALYSIS OF EVIDENCE DOCUMENTATION OF EVIDENCE PRESENTATION OF EVIDENCE
  10. 10. {elysiumsecurity} cyber protection & response 10 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - CONTEXT Public CONTEXT TIMELINE LOCATION MEDIUM INDIVIDUALS ACTIVITIES READ-ONLY COPY OF EVIDENCE ! INTERVIEWS
  11. 11. {elysiumsecurity} cyber protection & response 11 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - LOG Public LOGS ENDPOINTS SERVERS NETWORK DEVICES CLOUD SERVICES EVENT VIEWER, WEBTOOLS START WITH TIMELINE RANGE READ-ONLY COPY OF EVIDENCE !
  12. 12. {elysiumsecurity} cyber protection & response 12 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - FILESYSTEM Public FILESYSTEM SUPER TIMELINE FILE/APP/KEYWORD SEARCH PLACES OF INTEREST VIRUS SCANS LOG2TIMELINE, TSK HUGE AMOUNT OF DATA READ-ONLY COPY OF EVIDENCE !
  13. 13. {elysiumsecurity} cyber protection & response 13 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - CONFIG Public CONFIG REGISTRY KEY HIVE SYSTEM FILES APPLICATION CONFIGURATION RECENT CHANGES/INSTALLATIONS REGEDIT/HIJACKTHIS/GREP READ-ONLY COPY OF EVIDENCE !
  14. 14. {elysiumsecurity} cyber protection & response 14 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - NETWORK Public NETWORK SOURCE / DESTINATION ACTIVITIES PROTOCOL USED TRAFFIC CONTENT ANALYSIS IDS ANALYSIS WIRESHARK / TCPDUMP READ-ONLY COPY OF EVIDENCE !
  15. 15. {elysiumsecurity} cyber protection & response 15 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - MEMORY Public MEMORY DUMP MEMORY / PAGE FILES RUNNING PROCESSES BINARY INSPECTION HIDDEN DATA VOLATILITY / REKAL READ-ONLY COPY OF EVIDENCE !
  16. 16. {elysiumsecurity} cyber protection & response 16 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT ACTIVITY - ADVANCED Public ADVANCED USER ACTIVITY SIMULATION MALWARE REVERSE ENGINEERING MALWARE SANDBOXING HONEYPOTS HACKER COMMUNICATION DANGEROUS!READ-ONLY COPY OF EVIDENCE !
  17. 17. {elysiumsecurity} cyber protection & response 17 CASE STUDYFRAMEWORKPRINCIPLESCONTEXT CLIENT DATABASE LEAK INVESTIGATION Public CONTEXT LOG FILESYSTEM CONFIG NETWORK MEMORY ADVANCED - EXECUTIVE ATTENDED A CONFERENCE; - LOGGED TO WEBMAIL; - WARNING IGNORED; - CLIENT DB LEAKED; - 29/05/18 @ 09:09 - TROJAN FILES FOUND; - HIDDEN PARTITION IDENTIFIED; - BAD WEB PLUGIN DELETED; - USB CONNECTION. - PROCESS SENDING DATA TO IP EVERY 5 MINUTES; - ENDPOINT ACTING AS A PROXY FOR INTRANET; - IDS FLAG ALERTS. - MALWARE SOURCE CODE IN FRENCH; - IP TRAIL FROM KNOWN GROUPS; - HACKER FOR HIRE FROM EX EMPLOYEE. - EMAIL LOGING FROM SUSPICIOUS COUNTRY; - EMAIL DELETED TO DB SUPPORT; - VPN ACCESS FROM CONFERENCE. - WEB HISTORY TO FAKE WEBMAIL; - FIREWALL TURNED OFF; - AV WHITELIST OF SUSPICIOUS DIRECTORY; - SUSPICIOUS SERVICE. - HIDDEN PROCESSES; - TROJAN DETECTED IN MEMORY; - REMOTE CONNECTION LIVE;
  18. 18. {elysiumsecurity} cyber protection & response © 2018 Elysium Security Ltd. All Rights Reserved www.elysium security.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

×