Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptxCapitolTechU
Slides from a Webinar presented on Oct. 6, 2022, by Dr. Kellup Charles, Chair of Cybersecurity at Capitol Technology University. Dr. Charles looks at OSINT--Open Source Intelligence, including the Process, Method, and Techniques.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
CapTech Talks--OSINT- Dr. Kellup Charles 10--6-22.pptxCapitolTechU
Slides from a Webinar presented on Oct. 6, 2022, by Dr. Kellup Charles, Chair of Cybersecurity at Capitol Technology University. Dr. Charles looks at OSINT--Open Source Intelligence, including the Process, Method, and Techniques.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the topic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial
control system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion...
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This presentation covers what I am calling the 'Snowden Scenario.' This is when a privileged insider uses their power to steal data from an organization. If it can happen to the NSA, your organization is at risk too. Background checks, credentials and insurance isn't enough if your most valuable assets are leaked to the world.
The WEP protocol was introduced with the original 802.11 standards as a means to provide authentication and encryption to wireless LAN implementations.
WPA, became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the topic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial
control system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion...
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This presentation covers what I am calling the 'Snowden Scenario.' This is when a privileged insider uses their power to steal data from an organization. If it can happen to the NSA, your organization is at risk too. Background checks, credentials and insurance isn't enough if your most valuable assets are leaked to the world.
The WEP protocol was introduced with the original 802.11 standards as a means to provide authentication and encryption to wireless LAN implementations.
WPA, became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard
NIST Cloud Computing Forum and Workshop VIII
July 2015
Cloud Computing Forensic Science
Posted as a courtesy by:
Dave Sweigert
CISA CISSP HCISPP PMP SEC+
Memory forensics using VMI for cloud computingPriyanka Aash
The relocation of systems and services into cloud environments is on the rise. Because of this trend users lose direct control over their machines and depend on the offered services from cloud providers. These services are especially in the field of digital forensics very rudimentary. The possibilities for users to analyze their virtual machines with forensic methods are very limited. In the underlying research of this talk a practical approach has been developed that gives the user additional capabilities in the field of forensic investigations. The solution focuses on a memory forensic service offering. To reach this goal, a management solution for cloud environments has been extended with memory forensic services. Self-developed memory forensic services, which are installed on each cloud node and are managed through the cloud management component, are the basis for this solution. Forensic data is gained via virtual machine introspection techniques. Compared to other approaches it is possible to get trustworthy data without influencing the running system. Additionally, a general overview about the underlying technologies is provided and the pros and cons are discussed. The solution approach is discussed in a generic way and practically implemented in a prototype. In this prototype OpenNebula is used for managing the cloud infrastructure in combination with Xen as virtualization component, LibVMI as Virtual Machine Introspection library and Volatility as forensic tool.
(Source: Black Hat USA 2016, Las Vegas)
Since the arrival of cloud, security as we knew it changes tremendously, it sent us back 15 years from what we knew in Enterprise Security.
This presentation talks about the challenges and measure that cloud presents to organizations in the cloud.
The Credit Union National Association (CUNA) issued a statement on Friday, April 26th, 2013 that a possible widespread Distributed Denial of Service (DDoS) attack may take place on Tuesday, May 7th, 2013.
Despite the numerous warnings, CUNA has offered little advice on how to manage the situation and mitigate an attack.
Realizing the severity of the situation, RedZone has put together 5 practical ways to mitigate against a DDoS happening to you that was presented via GoToWebinar on Wednesday, May 1st, 2013.
The types of attacks we reviewed were:
1. Pure network attack against the credit union
2. Pure network attack against the ISP router
3. Content DDoS
4. DNS DDoS
5. Random Botnet attack
We also answered the following questions:
• What does it mean?
• What are your Zero day protection options?
• What to check on your security products?
• How to enable Global IP protection?
• How do I detect fraud communication in advance?
• What are some vendor product options?
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Manoj Kumar
Understand about current cloud market, cloud service providers - Azure or Amazon, cloud fundamentals, VM Virtualization, Cloud deployment models, IaaS vs PaaS vs SaaS, Cloud Security and Risks.
2018년 11월 26일 COEX에서 진행된 HTML5 Conference 발표 자료입니다. 실제 현장에서 발표한 자료와는 다소 차이가 있을 수 있습니다.
본 발표는 AWS S3, SPA, VueJS 등을 통해 구축한 Serverless 환경을 소개합니다. 발표는 한종원님이 진행해주셨습니다.
InterPlanetary File System 소개 자료입니다.
풀 한글로 작성하고 싶었으나
시간관계 상 중반부 이상은 영문 번역을 손을 못댔네요.
(이후 시간이 된다면 수정해보겠습니다.
그림 및 도표의 출처는 모두 링크로 기재되어있습니다.
본자료는 흐름을 이해하는데 사용하시고
원문 링크를 한번씩 더 읽어보시길 추천드립니다.
3. forensicinsight.org
Dropbox
Forensics
• Dropbox
– 웹 기반 파일 공유 서비스
– 총 12개의 클라이언트 지원
• Desktop
:
Windows,
Mac
OS
X,
Linux
• Mobile
:
iOS,
Android,
Symbian,
Win
Mobile,
Blackberry
– 한 계정 당 무료로 2GB까지 지원
• 자동 동기화 및 사용자 간 자료 공유
h.p://forensic.n0fate.com
6. forensicinsight.org
Dropbox
Forensics
• Dropbox의 데이터는 디스크에 저장
– 디스크 이미지에서 각 파일을 접근할 수 있음
– 별다른 문제 없이 분석을 진행할 수 있음
• 삭제된 파일은?
– ‘.dropbox.cache’에 삭제한 파일을 기록
– Dropbox 페이지에 버전 정보 기록
h.p://forensic.n0fate.com
7. forensicinsight.org
Show
deleted
files
• 삭제된 파일은 ‘.dropbox.cache’에 저장
– 동기화 후 이동/수정/삭제된 파일 저장
– 최대 3일간 데이터를 유지
n0fate-MacBook-Air:~ n0fate$ cd Dropbox/.dropbox.cache/
n0fate-MacBook-Air:.dropbox.cache n0fate$ ls
2013-08-16 2013-08-17
n0fate-MacBook-Air:.dropbox.cache n0fate$ cd 2013-08-16
n0fate-MacBook-Air:2013-08-16 n0fate$ ls
2013 디지털 포렌식 기술 동향 (deleted 60f35a91ffee07c883802a5920aa553f).pptx
2013 디지털 포렌식 기술 동향 (deleted eafa23ac8430ffa0cfb77d847926c0bf).pptx
3E4E51888FB14B239407637B07A3D035 (deleted 2bdac50f2409a961cbefaa83ada787c8).doentry
43B030297C994934B65199C78C8C8F75 (deleted b78f5a24a5cf8f2f18611a764f67b767).doentry
n0fate-MacBook-Air:2013-08-16 n0fate$ file *
2013 디지털 포렌식 기술 동향 (deleted 60f35a91ffee07c883802a5920aa553f).pptx: Zip archive
data, at least v2.0 to extract
.....<snip>...
43B030297C994934B65199C78C8C8F75 (deleted b78f5a24a5cf8f2f18611a764f67b767).doentry:
XML document text
h.p://forensic.n0fate.com
8. forensicinsight.org
Dropbox
Forensics
• 공격자가 해당 폴더 Wiping 수행한 경우?
– 해당 디렉터리의 정보가 zero-‐out되기 때문에
분석할 수 없음
– 다른 요소를 이용하여 최대한 분석 필요
• 존재할 수 있는 요소
– 계정 정보
– 파일 목록(존재하는 / 삭제된 파일)
– 파일 동기화 여부
h.p://forensic.n0fate.com
9. forensicinsight.org
filecache.dbx
• SQLite3
Database
format
• file_journal
table
(<2013)
– Containing
a
lis_ng
of
all
directories
and
files
– Synchroniza_on
informa_on
– Only
the
live
files,
not
deleted
ones
– Recovery
deleted
record
though
SQLite3
Carving
• In
early
2013
Dropbox
released
an
update
that
encrypted
this
file
h.p://forensic.n0fate.com
10. forensicinsight.org
filecache.dbx
• SQLite3
DB
Browser로 내용 확인 불가능
– Hex
Editor에서 정상적인 파일로 보이지 않음
• 데이터 암호화로 인해 올바른 해석 불가
– Sqlite3
Database
Encryp_on
기술을 이용
– User
Password
기반의 Database
Key를 생성하여
모든 데이터베이스 암호화
– 역으로 키를 생성하여 복호화를 수행해야 함.
h.p://forensic.n0fate.com
11. forensicinsight.org
Client
Database
Key
Genera_on
(Windows)
• User
key
genera_on
h.p://forensic.n0fate.com
HMAC
Key
(고정 값)
version
Registry
Path
HKCUSOFTWAREDropboxks
Payload
length
payload
HMAC
1.
HMAC
2.
CryptUnprotectData
API
valida_on
User
Key
12. forensicinsight.org
hostkeys
Database
Key
Genera_on
(Linux)
• User
key
genera_on
h.p://forensic.n0fate.com
HMAC
Key
(고정 값)
version
File
Path
/home/<USER>/.dropbox/hostkeys
payload
HMAC
1.
HMAC
2.
AES-‐128
with
CBC
valida_on
User
Key
Ini_al
Vector
(고정 값)
Unique
Key
md5(“ia9’<hostkeys
FILEPATH>Xa|ui20”)
13. forensicinsight.org
Database
Key
Genera_on
(Windows/Linux)
• Database
Key
genera_on
h.p://forensic.n0fate.com
Salt
(고정 값)
Itera_on
Count
(1066)
PBKDF2
User
Key
passphrasesalt
Itera_on
Count
DB
Key
(16bytes)
14. forensicinsight.org
Decryp_ng
SQLite
DBX
• SQLite
Encryp_on
Extension
(SEE)
– Read
and
write
encrypted
database
files
– All
data
and
the
metadata
is
encrypted
– So
outside
observer
the
database
appears
to
contain
white
noise
– Public
version
of
SQLite
will
not
be
able
to
read
or
write
an
encrypted
database
file
h.p://forensic.n0fate.com
Link
:
hip://www.sqlite.org/see/doc/trunk/www/readme.wiki
16. forensicinsight.org
Tools
(Online)
• A
Cri_cal
Analysis
of
Dropbox
Security를 발표
한 newsom 멤버가 개발
– hips://github.com/newsom
• Tool
– Dropbox
DB
Key
Generator
:
dbx-‐keygen-‐
windows/linux
(Mac
OS
X는 없음)
– DBX
Decryptor
:
sqlite3-‐dbx
h.p://forensic.n0fate.com
19. forensicinsight.org
Dropbox
Decryptor
• When/Who
:
March,
1,
2013,
Magnet
Forensics
• Requirements
– filecache.dbx
file
• [root]Documents
and
SeqngsusernameApplica_on
DataDropbox
on
XP,
or
[root]UsersJadAppDataRoamingDropbox
on
Vista
– The
en_re
protect
folder
for
that
user
• [root]Documents
and
SeqngsusernameApplica_on
DataMicrosom
on
XP,
or
[root]UsersJadAppDataRoamingMicrosom
on
Vista/7
– A
file
containing
the
raw
bytes
from
the
Dropbox
‘client’
value
under
the
‘ks’
key
in
registry
• registry/NTUSER.dat
file
(full
path
is
HKEY_CURRENT_USERSomware
Dropboxks
– User’s
windows
login
password
h.p://forensic.n0fate.com