Forensics for the Defense
•Download as PPT, PDF•
0 likes•1,122 views
Forensic techniques are not just for law enforcement. You need to supplement your existing security package and provide evidence of due diligence in the event of an incident. Test your security before someone else does.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (14)
Similar to Forensics for the Defense
Similar to Forensics for the Defense (20)
Recently uploaded
Recently uploaded (20)
Forensics for the Defense
- 1. Tom Kopchak Forensics for the Defense (of your network)
- 2. •Who am I? •Why am I here, and what got me here? •Why I am passionate about computer security? About the Presenter – Who am I?
- 4. The Truth • Evidence can be hard to come by • Any and all evidence must be carefully accounted for and documented • Cases involving movie-like circumstances are few and far between
- 5. Forensics = Valuable • Traditional - Law enforcement • Emerging - Security
- 6. Traditional Forensics – Disks
- 7. Next Steps – Memory
- 10. Commonalities
- 12. • Forensic Verification • Forensic Penetration Testing • Malware/Exploit/Breach Analysis Practical Applications
- 13. A word of caution... • Permission!
- 14. Why Forensics? • Security is not a checkbox • Simulate attack • Identify shortcomings
- 15. Forensic Verification • Applications might store temporary/cached data • PCI implications
- 16. Test Configuration • Control image • Test Cases • Analysis
- 17. Encrypted Laptop – Stolen! It’s safe, right?
- 18. The Solution – Forensics Penetration Testing Zero Knowledge vs. Authenticated Testing
- 19. The Real Test Fully Encrypted – Administrator Confidence 100%
- 20. Starting the Attack Machine Powered Off – Full Disk Images Created
- 21. Breakthrough • Grace period for pre-boot authentication lockout
- 22. Mounting the attack Downgrade memory – Leverage DMA – Exploit OS Result: Full Admin Access to Entire System
- 23. Failure of Encryption? • Encryption Did Not Fail! • Convenience vs. Security • Zero knowledge attack
- 24. Forensics for the Defense – One System at a Time • System vulnerabilities unknown until tested • Forensic Penetration testing = same purpose as traditional penetration test • Learn and improve from mistakes
- 25. Conclusions • Forensic techniques are not just for law enforcement • Supplement your existing security package • Provide evidence of due diligence in the event of an incident • Test your security before someone else does
- 26. Wrap Up/QA
Editor's Notes
- Crime scenes and evidence, Bringing criminals to justice, Secret files on devicesNeatly laid out trail of evidence, Police chases, GunfireEverything solved by the end of the TV show - in 30 minutes or less (commercials not included, of course)
- Law enforcement: Critical evidence in cases, Breaches/Cyber attacks Emerging - Security: Verification, penetration testing
- "Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
- Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
- Network forensics - much more information Search and web history, timing of requests and keystrokes, location data Sources - firewall logs, DNS logs, IDS logs, packet captures
- Forensic techniques - more than just law enforcement - More flexibility - Experimenting with evidence may be desirable - Minimal legal issues, especially for research purposes
- - Time consuming process - Requires attention to detail - Documentation! - Consider time involved when determining if necessary
- -Verification - application analysis and verification -Pen testing - encrypted laptop -Malware/Exploit/Breach Analysis - be careful, legal concerns
- -Consider legal ramifications, especially if there is a possibility of criminal activity -Know your limits -Involve law enforcement-Critical for malware/breach investigations
- -Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
- Application verification - Don’t trust the developer’s word!
- For application verification -Control image - system with application, simplify system as much as possible -Test cases: run application, generate data -Analysis: Investigate application process/behavior - MAC times, search for interesting data
- Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
- Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
- Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
- Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
- Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
- -Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
- We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - company would not be able to determine information was stolen