Cyber Security Technologies




      Presentation of the
 OnLine Digital Forensic Suite™


                              ...
Focus

OnLine Digital Forensic Suite™ is
          a software product
    for the real-time investigation
of live, running...
Intended Uses



      Target Markets                                   Target Applications
   Fortune 5000              ...
OnLineDFS™ Deployment
                                           Corporate                                      System Und...
OnLineDFS Today

 Volatile   State Data               Memory                                             Persistent   d...
Key Attributes

   Built for the examination of running systems
      Collects information that is lost when computer is...
OnLineDFS Advantages

   Designed for use in an enterprise environment
      Built for on-line, real-time, networked wor...
OnLineDFS Delivers


Law Enforcement                 An effective tool for investigations
                                ...
Volatile Data Acquisition




    OnLineDFS Introduction - Proprietary & Confidential - Page 9
Memory and Registry




  OnLineDFS Introduction - Proprietary & Confidential - Page 10
Persistent Data




OnLineDFS Introduction - Proprietary & Confidential - Page 11
Data Analysis




OnLineDFS Introduction - Proprietary & Confidential - Page 12
Primary Data and Search




    OnLineDFS Introduction - Proprietary & Confidential - Page 13
Demonstration Scenario

 Network   security has observed unusual traffic
  on port 730 of host 192.168.171.202
 You are ...
Start the Investigation




   OnLineDFS Introduction - Proprietary & Confidential - Page 15
Perform the Initial Acquire




     OnLineDFS Introduction - Proprietary & Confidential - Page 16
Initial Acquire Completed




    OnLineDFS Introduction - Proprietary & Confidential - Page 17
Let’s look at the Volatile Data




      OnLineDFS Introduction - Proprietary & Confidential - Page 18
Look at Port 730 details




   OnLineDFS Introduction - Proprietary & Confidential - Page 19
Let’s look at WINWORD




   OnLineDFS Introduction - Proprietary & Confidential - Page 20
Dig Deeper




OnLineDFS Introduction - Proprietary & Confidential - Page 21
And Deeper




OnLineDFS Introduction - Proprietary & Confidential - Page 22
Acquire the WINWORD.exe




    OnLineDFS Introduction - Proprietary & Confidential - Page 23
Acquire the WINWORD.exe




    OnLineDFS Introduction - Proprietary & Confidential - Page 24
Acquire the WINWORD.exe




    OnLineDFS Introduction - Proprietary & Confidential - Page 25
Acquire Completed




 OnLineDFS Introduction - Proprietary & Confidential - Page 26
Let’s search within the acquired file




         OnLineDFS Introduction - Proprietary & Confidential - Page 27
Search Completed with 5 matches




        OnLineDFS Introduction - Proprietary & Confidential - Page 28
Let’s acquire memory




  OnLineDFS Introduction - Proprietary & Confidential - Page 29
Background Task




OnLineDFS Introduction - Proprietary & Confidential - Page 30
Memory Acquire Completed




     OnLineDFS Introduction - Proprietary & Confidential - Page 31
View Memory




OnLineDFS Introduction - Proprietary & Confidential - Page 32
Search for “Keylogger”




   OnLineDFS Introduction - Proprietary & Confidential - Page 33
Search Results-Six Matches




     OnLineDFS Introduction - Proprietary & Confidential - Page 34
Looks like a credit card entry




      OnLineDFS Introduction - Proprietary & Confidential - Page 35
Let’s find the suspect




  OnLineDFS Introduction - Proprietary & Confidential - Page 36
Start a new inquiry




 OnLineDFS Introduction - Proprietary & Confidential - Page 37
Look at Port 1142




OnLineDFS Introduction - Proprietary & Confidential - Page 38
Have a look at Telnet




  OnLineDFS Introduction - Proprietary & Confidential - Page 39
Search for credit card format




      OnLineDFS Introduction - Proprietary & Confidential - Page 40
Let’s find Amazon




OnLineDFS Introduction - Proprietary & Confidential - Page 41
Same data- he is the bad guy




      OnLineDFS Introduction - Proprietary & Confidential - Page 42
Comprehensive Documentation




      OnLineDFS Introduction - Proprietary & Confidential - Page 43
Let’s Review the Investigation

 Acquired   volatile data from host A
 Looked at port 730 details and found
  WINWORD.ex...
Let’s Review the Investigation

 With  this information, initiated a second
  investigation on host B
 From the volatile...
Cyber Security Technologies

                 Questions?




      OnLineDFS Introduction - Proprietary & Confidential - P...
Upcoming SlideShare
Loading in …5
×

Online DFS

725 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
725
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Online DFS

  1. 1. Cyber Security Technologies Presentation of the OnLine Digital Forensic Suite™ Next-generation software for investigations of live computers in networks . . . OnLineDFS Introduction - Proprietary & Confidential - Page 1
  2. 2. Focus OnLine Digital Forensic Suite™ is a software product for the real-time investigation of live, running systems in networks Product Heritage  Core technology developed with SBIR funding from the US Air Force  Productized for commercial market  Patent pending OnLineDFS Introduction - Proprietary & Confidential - Page 2
  3. 3. Intended Uses Target Markets Target Applications  Fortune 5000  Incident Response Corporations  Insider Threat  Government Agencies  External Threat  Integrators  Compliance  Service Providers  Information Assurance  Law Enforcement  E-Discovery  Criminal Investigations OnLineDFS Introduction - Proprietary & Confidential - Page 3
  4. 4. OnLineDFS™ Deployment Corporate System Under Investigation Multi-User Version Depicted Headquarters Servers Investigator (Browser interface) Corporate Manufacturing Locations NOC (or other secure location) Network OnLineDFS Application Any Location: & Data Store • Corporate • Field Location • Law Enforcement • Service Provider • Home Office, Hotel, etc. Note: Browser interface and System Under Investigation OnLineDFS™ application can Regional co-reside Offices wired/wireless/mobile System Under Investigation OnLineDFS Introduction - Proprietary & Confidential - Page 4
  5. 5. OnLineDFS Today  Volatile State Data  Memory  Persistent data  29 sources of  Acquisition  Files, folders, running state data directories,  Examination captured from metadata, etc. Windows targets,  Search  Unallocated and similar with Unix  Registry and Linux targets slack space  Walk  Acquisition  Capture, search  Acquisition  Examination  Image disk  Search Most volatile Persistent Summary of OnLineDFS Functionality OnLineDFS Introduction - Proprietary & Confidential - Page 5
  6. 6. Key Attributes  Built for the examination of running systems  Collects information that is lost when computer is shut down  Strong emphasis on volatile data and live examination of persistent data for rapid mitigation of risk  “Plug-and-play” deployment  OnLineDFS installed on network or subnet – no physical contact with target system required  No pre-installed agents  Straightforward, simple architecture  Simple set-up and operation  Technology can be readily integrated with other technologies  Investigate from anywhere, to anywhere  Investigator can work where the application is, or remotely from anywhere with Internet connectivity  Investigations performed though secure network connection  Wired/wireless/mobile targets OK  Discreet, non-disruptive:  Computer being analyzed is left in place  No end-user involvement needed  Investigative activity very difficult to detect  Stable, solid product  Release 3.6  Designed to adhere to forensic best practices 4 OnLineDFS Introduction - Proprietary & Confidential - Page 6
  7. 7. OnLineDFS Advantages  Designed for use in an enterprise environment  Built for on-line, real-time, networked world  Drill down live to hosts with issues of investigative interest  Proactive tool to address issues as they are happening  No pre-installed agents  Plug-and-play product based on simple architecture, very easy to deploy, maintain and use  Discreet, unobtrusive, does not disrupt operations  Flexible analytical approach fits real world  Go where the data takes you, acquire what you need  Enhances investigation productivity and timeliness  Leverages investment in third-party tools  Adheres to forensic best practices OnLineDFS Introduction - Proprietary & Confidential - Page 7
  8. 8. OnLineDFS Delivers Law Enforcement An effective tool for investigations in an enterprise environment Enterprises A cost-effective tool to mitigate risk, conduct investigations effectively Service Providers A tool to deliver outstanding customer timeliness and value OnLineDFS Introduction - Proprietary & Confidential - Page 8
  9. 9. Volatile Data Acquisition OnLineDFS Introduction - Proprietary & Confidential - Page 9
  10. 10. Memory and Registry OnLineDFS Introduction - Proprietary & Confidential - Page 10
  11. 11. Persistent Data OnLineDFS Introduction - Proprietary & Confidential - Page 11
  12. 12. Data Analysis OnLineDFS Introduction - Proprietary & Confidential - Page 12
  13. 13. Primary Data and Search OnLineDFS Introduction - Proprietary & Confidential - Page 13
  14. 14. Demonstration Scenario  Network security has observed unusual traffic on port 730 of host 192.168.171.202  You are authorized to investigate this host and have the and administrative account and password necessary to perform the investigation OnLineDFS Introduction - Proprietary & Confidential - Page 14
  15. 15. Start the Investigation OnLineDFS Introduction - Proprietary & Confidential - Page 15
  16. 16. Perform the Initial Acquire OnLineDFS Introduction - Proprietary & Confidential - Page 16
  17. 17. Initial Acquire Completed OnLineDFS Introduction - Proprietary & Confidential - Page 17
  18. 18. Let’s look at the Volatile Data OnLineDFS Introduction - Proprietary & Confidential - Page 18
  19. 19. Look at Port 730 details OnLineDFS Introduction - Proprietary & Confidential - Page 19
  20. 20. Let’s look at WINWORD OnLineDFS Introduction - Proprietary & Confidential - Page 20
  21. 21. Dig Deeper OnLineDFS Introduction - Proprietary & Confidential - Page 21
  22. 22. And Deeper OnLineDFS Introduction - Proprietary & Confidential - Page 22
  23. 23. Acquire the WINWORD.exe OnLineDFS Introduction - Proprietary & Confidential - Page 23
  24. 24. Acquire the WINWORD.exe OnLineDFS Introduction - Proprietary & Confidential - Page 24
  25. 25. Acquire the WINWORD.exe OnLineDFS Introduction - Proprietary & Confidential - Page 25
  26. 26. Acquire Completed OnLineDFS Introduction - Proprietary & Confidential - Page 26
  27. 27. Let’s search within the acquired file OnLineDFS Introduction - Proprietary & Confidential - Page 27
  28. 28. Search Completed with 5 matches OnLineDFS Introduction - Proprietary & Confidential - Page 28
  29. 29. Let’s acquire memory OnLineDFS Introduction - Proprietary & Confidential - Page 29
  30. 30. Background Task OnLineDFS Introduction - Proprietary & Confidential - Page 30
  31. 31. Memory Acquire Completed OnLineDFS Introduction - Proprietary & Confidential - Page 31
  32. 32. View Memory OnLineDFS Introduction - Proprietary & Confidential - Page 32
  33. 33. Search for “Keylogger” OnLineDFS Introduction - Proprietary & Confidential - Page 33
  34. 34. Search Results-Six Matches OnLineDFS Introduction - Proprietary & Confidential - Page 34
  35. 35. Looks like a credit card entry OnLineDFS Introduction - Proprietary & Confidential - Page 35
  36. 36. Let’s find the suspect OnLineDFS Introduction - Proprietary & Confidential - Page 36
  37. 37. Start a new inquiry OnLineDFS Introduction - Proprietary & Confidential - Page 37
  38. 38. Look at Port 1142 OnLineDFS Introduction - Proprietary & Confidential - Page 38
  39. 39. Have a look at Telnet OnLineDFS Introduction - Proprietary & Confidential - Page 39
  40. 40. Search for credit card format OnLineDFS Introduction - Proprietary & Confidential - Page 40
  41. 41. Let’s find Amazon OnLineDFS Introduction - Proprietary & Confidential - Page 41
  42. 42. Same data- he is the bad guy OnLineDFS Introduction - Proprietary & Confidential - Page 42
  43. 43. Comprehensive Documentation OnLineDFS Introduction - Proprietary & Confidential - Page 43
  44. 44. Let’s Review the Investigation  Acquired volatile data from host A  Looked at port 730 details and found WINWORD.exe  Acquired the WINWORD.exe file  Determined that it is a keylogger  Acquired memory and found the keylogger program and credit card data  Referred back to the port 730 details and identified the IP address and port of the host connected to host A OnLineDFS Introduction - Proprietary & Confidential - Page 44
  45. 45. Let’s Review the Investigation  With this information, initiated a second investigation on host B  From the volatile data acquired, we identified telnet as the process associated with port 1142  Acquired memory and found the exact same credit card data as was found in the memory of host A  Automatically generated detailed and thorough documentation of the entire investigation OnLineDFS Introduction - Proprietary & Confidential - Page 45
  46. 46. Cyber Security Technologies Questions? OnLineDFS Introduction - Proprietary & Confidential - Page 46

×