Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux
This presentation introduces memory forensics and recalls the most important concepts of virtual memory and paging.
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.
Using Hard Disk Encryption and Novell SecureLoginNovell
Laptop theft is one of the most common crimes in industrial countries. Therefore, the demand for laptop security and the need to protect confidential data on hard disks is increasing. Several products on the market address this issue by offering hard disk encryption combined with login security. This session will show how these solutions can be integrated into a Novell environment.
A typical scenario might look like the following: The digital certificates used for encryption are generated in Novell eDirectory; the certificates are used with smartcards, which are also managed in eDirectory. The configuration of the hard disk encryption solution is deployed to clients with Novell ZENworks (no user interaction is necessary during installation and configuration). The hard disk encryption registration is combined with Novell SecureLogin, which results in a single sign-on.
This session will describe in detail what the configuration of hard disk encryption in such a scenario looks like, and will feature a live demonstration. The presenters are independent consultants with no interest in marketing a particular hard disk encryption solution.
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does ItRightScale
Are you overwhelmed by the plethora of cloud security vendors and not sure how to get started with security monitoring in a cloud environment?
Find out how we at RightScale use security monitoring in the cloud to achieve compliance, send critical alerts, and collect forensic data.
In this webinar, we will:
- Guide you through the framework we used to define our goals for security monitoring, decide how we wanted to do it, and then select which tools to use.
- Share practical insights on how to successfully do security monitoring in a cloud environment.
- Realign the focus to be on delivering results instead of implementing technology for technology's sake.
Join RightScale's Director of Security & Compliance Phil Cox and Senior Security Engineer Tony Spataro to learn directly from the team responsible for the security architecture and regulatory compliance for one of the most complex cloud-based deployments on the planet.
This presentation examines the business case for and against penetration testing. It also includes some low hanging fruit as it relates to common security vulnerabilities.
The faltering economy has not slowed the alarming rate of attempted and successful data theft. In fact, it might actually be spurring data thieves to try even harder. Unfortunately, the faltering economy has also meant deep cuts in IT budgets. Although IT budgets are being reduced, the need to protect sensitive data has not gone away. IT security professionals are frustrated by this. How can security be provided in a budget constrained environment? A solution is needed quickly for this critical business issue.
The session will review the different options for data protection strategies for PCI DSS. This presentation is focused on answering the question “How can IT security professionals provide data protection in the most cost effective manner?” This presentation also includes an anonymous case study about an Enterprise Data Security project, at the ABC company, including the strategy that addresses key areas of focus for file and database security encompassing all major platforms. This session will also present methods to protect the entire data flow across systems in an enterprise while minimizing the need for cryptographic services.
Building an enterprise forensics response serviceSeccuris Inc.
What issues are enterprises facing that require digital forensics?
• In-depth technical issues within the IT environment
o Complex attack / virus analysis
o Packet analysis
o Complex environment investigation coordination (VMWare)
• Separation of duties / transparency issues with IT staff
o Integrity and audit-ability issues from regulators and common due diligence requirements
• System Audit Functionality verification
o Audit System Investigation / Recovery
• Ensure systems are preserved for forensic investigation*
o Banking Standards
o NIST Standards
o PCI
o US State Laws
• Legal issues such as eDiscovery
o Prepare, Preserve & Produce electronically stored information
• Privacy issues from legislation, regulation and clients
o “DNA Forensics” – Identification for good & evil
• Records Management issues
o Historical Data Retrieval
o Data reconstruction
• Human Resources issues / employee investigations
o Inappropriate Use
o Harassment / Workplace Safety
o Loss management issues / evidence verification
o Theft / Fraud investigation support
o Sabotage
What is an Enterprise Forensics Response Service?
• Enables business owners to actively enforce corporate policy and protect and preserve digital assets through the use of forensic methods.
• Handles investigation requests from many different parts of the organization
o IT (Network / Applications)
o Internal Audit / Compliance
o Legal
o Privacy
o Records Management
o Human Resources / Employee Managers
o Loss Management / Physical Security
• An Enterprise Architectural Perspective of an EDF Service (Overview)
o Conceptual linkages to the business & information security strategy
o Logical service definition, examples of peer services
o Physical mechanisms that the EDF service is comprised of
o Examples of components that the EDF service utilizes
- What does the presentation cover?
• Identification & definition of required forensic services
• Review of common service mechanisms and components
• Considerations for implementing & service management in the enterprise
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
This paper explores two questions: What
methods can be used to deceive someone who is
in an investigative role into trusting an object
which has been exploited? What kind of impact
does operating system and application run-time
linking have on live investigations? After
experimenting with dynamic object
dependencies and kernel modules in the UNIX
environment, it is the opinion of the authors that
run-time linking can be exploited to alter the
execution of otherwise trusted objects. This can
be accomplished without having to modify the
objects themselves. If an investigator trusts an
inherently un-trusted object, it can result in the
possible misdirection of a digital investigation.
Security Information Management: An introductionSeccuris Inc.
Information Security managers have long been tasked with monitoring the enterprises they work for while the business requirements for enterprise security monitoring continue to mutate and be redefined with ever increasing speed. The definition and location of our assets shifts on a daily basis requiring a new unsurpassed level of flexibility and visibility in managing information security/ Traditional security technologies have continued their overlap with network, information and audit management solutions creating workplace silos for managing information security.
The ability to monitor in the enterprise, identifying, interpreting and intelligently responding to the true needs of our organizations seems impossible.
This presentation introduces Security Information Management (SIM) technologies and concerns, outlining potential solutions and approaches you can take to move your security posture forward.
Building Critical Infrastructure For Business RecoverySeccuris Inc.
How can we enhance our business continuity plans by incorporating critical technical infrastructure, remote access and technical incident handling strategies? How do these strategies differ between man-made or natural disasters? Michael’s presentation will look at key issues that companies need to address now in order to recover from a business altering disaster. Considering key components that should be embedded in your business continuity plan. Michael will highlight key business continuity issues that technology can help address and detail implementation options available.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
Virtually Secure: Uncovering the risks of virtualization
Organizations have been quickly leveraging the benefits of virtualized platforms in their datacenters, often unknowingly increasing the exposure of their most prized assets.
Michael will highlight the key concerns around virtualization technologies including the answers to questions such as are virtualized servers PCI compliant and what minimum controls must exist to protect the hypervisor? He will walk the audience through the latest technical threats and shed light on the solutions and controls available to secure your virtual environments.
Making Executives Accountable for IT SecuritySeccuris Inc.
How do we make executives accountable for IT Security?
Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.
Improving Your Information Security ProgramSeccuris Inc.
Michael walks the audience through the key focus areas in the creation of information security dashboards and discuss topics such as: What about our Information Security Program is important?
How can I represent my Information Security Program in a dashboard? What elements of my program should I measure and report on? What must happen with the output?
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Anti-Forensics: Real world identification, analysis and prevention
1. Digital Anti-Forensics
Real World Identification, Analysis & Prevention
M ic h a e l L e g a r y
IR -1 0
N ovember 7, 2007
Copyright 2005 Seccuris Inc
2. Introduction
Michael Legary
Founder, Seccuris Inc.
CISSP, CISA, CISM, CCSA, GCIH, SCF
CNE, MCSE, CCNA
Copyright 2005 Seccuris Inc
3. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
4. Organization A - Agrieng Inc
• Small Agri-Business
• Sales +/- 2M & 25 Employees
• Designs tractors, bailers, etc
• Heavy use of electronic drafting
& engineering software
• Bids on contract work for major
manufacturers
Copyright 2005 Seccuris Inc
5. Organization A - Agrieng Inc
• Outbid & Outsold by
foreign competitor
• One particular
competitor’s designs look
eerily similar
Copyright 2005 Seccuris Inc
6. Organization B – ServPro GmbH
• Large Service Provision company
• Sales +/- 200M & 2500 Employees
• Provides Information Management
Solutions to world wide organizations
• Specialized database and information
mining technology separate ServPro
from competitive organizations
• Currently handles personal
information of over 50 million
individuals
Copyright 2005 Seccuris Inc
7. Organization B – ServPro GmbH
• A few clients are reporting
an increase in identity theft
reports by their constituents.
• There seems to be a pattern
in the types of information
being reported as stolen.
Copyright 2005 Seccuris Inc
8. Organization C – Government Department
• Federal organization
providing legal related
services
• Handles specialty
investigations from
multiple provinces
• Conducting investigation in
high tech criminal activity
Copyright 2005 Seccuris Inc
9. Organization C – Government Department
• Suspects are continually
evading capture
• Individuals caught seem
to have been prepared for
questioning
• Little to no evidence
identified when caught
Copyright 2005 Seccuris Inc
10. Forensic Investigation
• What is going on?
• Who is behind the activity?
• Why are they doing it?
• When did the start / stop?
• Where are they located?
• How is the activity
occurring?
• Has a crime taken place?
Copyright 2005 Seccuris Inc
11. Forensic Investigation
• Often in cases involving
information systems
standardized forensic
investigation does not
occur until it is known that
suspicious activity is
happening
• Where do we look for this
activity?
Copyright 2005 Seccuris Inc
12. Digital Evidence & Forensics
• Digital evidence exists all
around us
• Tools and techniques available
to investigators has greatly
increased in recent time
• Reliance on digital evidence is
becoming a reality
• Where is evidence on a
system?
Copyright 2005 Seccuris Inc
13. User Console
User Level
Kernel
Interface
Memory
Kernel Level
File System
Hardware
Level
Copyright 2005 Seccuris Inc
14. Evidence exists in:
Memory
• System Memory
• System Cache Program
Temp Log Temp File
File System
• File System
• File System Cache Program
Config File Target File Log File
Temp Log Temp File
Copyright 2005 Seccuris Inc
15. Evidence exists in:
User Level Service
• Running Programs Kernel
Interface
• Running Services
Kernel Level
• Active Processes
Hardware
Level
Copyright 2005 Seccuris Inc
16. User Console
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Target File Log File
Config File Program
Temp Log Temp File
Hardware
Level
Copyright 2005 Seccuris Inc
17. Standardized process for digital
evidence
Standard processes being created
for:
• Attack Identification
• Forensic Investigation
• Image Capture
• Image Analysis
• Evidence identification
Copyright 2005 Seccuris Inc
18. Standardized process for digital
evidence
Forensic investigations are
initiated from
evidence collected
during the
attack identification process.
If an investigator can not identify
an attack,
forensic investigation will not be
conducted;
Allowing attackers to go
unnoticed.
Copyright 2005 Seccuris Inc
19. User Console
Identification
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Temp Log Temp File
Hardware
Level
Copyright 2005 Seccuris Inc
20. User Console
Forensic
Investigation
User Level Service
Kernel
SYSTEM STATE IMAGE
Interface
Memory
MEMORY IMAGE
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
HARD DRIVE IMAGE
Temp Log Temp File
Hardware
Level
Copyright 2005 Seccuris Inc
21. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
22. Anti-Forensics
What is it?
• Practices and processes to
prevent, counter-act or
neutralize an investigators
ability to identify or recover
evidence for use in an
investigation.
Copyright 2005 Seccuris Inc
23. Anti-Forensics
The common purpose:
• Prevent detection of the
attacker
• Prevent an investigator from
gaining usable knowledge
• Destroy, hide, prevent
creation of, or transform data
Copyright 2005 Seccuris Inc
24. Anti-Forensics
The common purpose:
• Even if an attacker is detected,
evidence regarding their means,
methods and motives will be
altered
preventing accurate investigation
or prosecution.
Copyright 2005 Seccuris Inc
25. The origins of Anti-forensics
• Traditional
techniques
• Physical
• Financial
• Criminal
• Good Examples
• On Television
Copyright 2005 Seccuris Inc
26. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
27. Anti-forensics – Methods Overview
• In order to maintain covert activities of any sort
there is a requirement to
Destroy,
Hide,
Prevent Creation of,
or transform data to remain hidden.
Copyright 2005 Seccuris Inc
28. Anti-forensics – Methods Overview
Destruction of data
• Goal
• Significantly Damage the Integrity of Evidence
• Physical Destruction of Data
• Magnetic Techniques (Degaussing)
• Brute Force
• Logical Destruction of Data
• Reinitialize Media
• Significantly change composition of data on media
Copyright 2005 Seccuris Inc
29. Anti-forensics – Methods Overview
Hiding of data
• Goal
• Limit identification and collection of evidence
• Obfuscation
• Information Manipulation
• Steganography
• Encryption
• Data Encryption
• Media Encryption
Copyright 2005 Seccuris Inc
30. Anti-forensics – Methods Overview
Data creation prevention
• Goal
• Prevent creation of evidence
• Direct Prevention
• Root Kits
• Modification of System Binaries
• Indirect Prevention
• Limit system functionality – DoS – to prevent creation of
data
Copyright 2005 Seccuris Inc
31. Anti-forensics – Methods Overview
Transformation Techniques
• Goal
• Maintain or Re-establish investigator trust in
falsified data as evidence.
• Conventional Techniques
• Root Kits
• Advanced Techniques
• Shared Library Hijacking
Copyright 2005 Seccuris Inc
32. User Console
Identification
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Attacker
Temp Log Temp File Attacker File
Program
Hardware
Level
Copyright 2005 Seccuris Inc
33. Anti-forensics – Methods Overview
Transformation Techniques
• One of the most complex technical attacks being
performed today
• Understanding and appreciation for methods
used will allow us to reform our investigation
techniques
Copyright 2005 Seccuris Inc
34. Anti-forensics – Methods Overview
Transformation Techniques
• WHY?
• Detailed forensic
investigation may not start if
there is no suggestion of
system tampering
• These techniques can make
very ugly systems look like
good ones… Copyright 2005 Seccuris Inc
35. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
37. Anti-Forensics – Traditional Techniques
Conventional transformation methods
• Initial System Compromise
• Deception of Security Personal
Copyright 2005 Seccuris Inc
38. Conventional transformation methods
• Initial System Compromise
• Breach of system due to known vulnerability
• Attacker gains access to system, attempts to by-pass
detection
Copyright 2005 Seccuris Inc
39. Conventional transformation methods
• Deception of Security Personal
• Deleting Files
• Hiding files / logs / activities
• Root Kits
• Tools used to identify suspicious activity (In BSD)
• Disk Tools: df, ls ,du
• Process Tools: ps, top, crontab
• Network Tools: netstat, sockstat, fstat, tcpdump
• Be suspicious of your compiler
Copyright 2005 Seccuris Inc
40. Traditional Techniques – AgriEng Inc
• Attacker identifies vulnerability
• Breaks into system
• Removes logs
• Installs rootkit
• Downloads engineering files
• Configures backdoor into
system
Copyright 2005 Seccuris Inc
41. User Console
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Attacker
Temp Log Temp File Attacker File
Program
Hardware
Level
Copyright 2005 Seccuris Inc
42. User Console
Identification
User Level Service
Kernel
Interface
Memory
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
44. Anti-Forensics – Traditional Techniques
Advanced Transformation Methods
• Kernel Modules and
hijacking systems calls
• Kernel level root kit
• Provides undetected and almost
unlimited access to a compromised
system
• Allows attackers to perform a
variety of functions such as:
• Hide processes
• Hide files and registry keys
• Log Keystrokes
• Redirect Executable Files
• Issue Commands
• Generates own hidden TCP/IP Stack
• Remote administration
Copyright 2005 Seccuris Inc
45. Traditional Techniques – ServPro GmbH
• Attacker identifies vulnerability
• Breaks into system
• Removes logs
• Installs kernel level rootkit
• Installs System Sniffer
• Created automated system to
send out client information
Copyright 2005 Seccuris Inc
46. User Console
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Attacker
Temp Log Temp File Attacker File
Program
Hardware
Level
Copyright 2005 Seccuris Inc
47. User Console
Identification
User Level Service
Kernel
Interface
Memory
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
49. Anti-Forensics - Traditional Techniques
Traditional Transformation Detection Methods
• Cryptographic hashing for data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
Copyright 2005 Seccuris Inc
50. Transformation Detection Methods
• Cryptographic hashing for data integrity
• Using fingerprints investigators can ensure files
come from trusted sources, or weed out known
attack tools
• MD5 / SHA / RIPE-MD
• HIDS – Use of Cryptographic Hashing
• Tripwire, Axent, Cybersafe, ISS
Copyright 2005 Seccuris Inc
51. Cryptographic hashing for data integrity
Trusted Command Executable
% md5 ps.trusted
MD5 (p s .tru s te d ) =
9 50 1e f2 86 e f3a b 86 87 b 7 9 20 c a 4 fe e 2 9 f
Un-trusted Command Executable
% md5 /bin/ps
MD5 (/ in / ) =
b ps
02b2f8087896314bafd4e9f3e00b35fb
Copyright 2005 Seccuris Inc
52. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
Attacker File
Program
Kernel
Interface
NOT SAME
Memory
ATTACKGood
Known
DETECTED!
Attacker Program
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
53. Transformation Detection Methods
• Process Analysis
• Processes contain content such as:
• Open files
• Memory Maps
• Ownership Labels
• Resource Consumption Statistics
• Analysis of these characteristics allow an investigator to
identify discrepancies in common system activity
• Utilities such as:
• PS –AUX
• top
• proc fs
Copyright 2005 Seccuris Inc
54. User Console
Identification
Target File
Config File Program
User Level
Known Good Service
Service
Att
NOT SAME
Attacker
Attacker File
Program
Kernel
ATTACK
Interface
Memory
DETECTED!
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
55. Transformation Detection Methods
• Network Monitoring
• NIDS
• Firewall Monitoring
• Bandwidth Trending
• Output can identify use of known attacks, or
privileged accounts
Copyright 2005 Seccuris Inc
56. Transformation Detection Methods
• Network Monitoring
No v 10 2 1:59 :06 <4.1> 1 72 .1 6.1 .2 0 s no rt: [1:4 6 6:1 ] SHELLCODE
x86 stealth NOOP [P rio rity: 2]: {P R OTO0 01 } 1 0.0.1 .1 25 ->
10 .5 .1.3
• Example Snort® log which has detected the op-
codes or machine instructions for a “stealth
NOOP”.
Copyright 2005 Seccuris Inc
57. Transformation Detection Methods
• Network Monitoring
% tcpdump -nett -i pflog0
lis te n in g on pflo g 0, link-type P F LOG (Ope nB S D p flog file ), c a pture s iz e 96 b yte s
1 1 0 0 2 2 1 1 36.6 7744 1 rule 1/0(match): b loc k in o n s is 0: IP 10 .0.0.35.4646 > 20 5.1 1 .1 1 .1 1 .4 4 5 : S
5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK>
1 1 0 0 2 2 1 1 38.3 7042 3 rule 1 / a tc h ): b loc k in on s is 0 : IP 10 .0.0.35.4646 > 205.11 .1 1 .1 1 .4 4 5 : S
0(m
5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK>
• Example use of tcpdump on the OpenBSD® PF
Firewall
Copyright 2005 Seccuris Inc
58. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
Attacker File
Program
Kernel
Interface
Memory
ATTACK
DETECTED! Attacker
Program
Temp Log Temp File
Kernel Level
File System
Network Config File Program Target File
Intrusion Detection System
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
59. Transformation Detection Methods
• Signature / Pattern Matching
• Database of known patterns and signatures
• Binary Sequence Matching
• Used in NIDS / HIDS / Investigative Tools
Copyright 2005 Seccuris Inc
60. Transformation Detection Methods
• Signature / Pattern Matching
% file libtransform.so.1
lib tra n s form .s o .1 : E LF 32 -b it LSB shared object, In te l 8 03 8 6,
ve rs ion 1 (F re e B S D), s trip p e d
• Output of the “file” utility on a shared object.
• The “file” utility attempts to figure the file type for a
specified file.
Copyright 2005 Seccuris Inc
61. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
Attacker File
Program
Kernel
Interface
Memory
1. File Size
2. Header Information
Attacker
Program
3. File Content
4. Unknown Pattern
Temp Log Temp File
Kernel Level
File System
ATTACK
DETECTED!
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
62. Investigating – AgriEng Inc
• Cryptographic hashing for
data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
Copyright 2005 Seccuris Inc
63. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
ATTACK
Attacker File
Program
Kernel
DETECTED!
Interface
Memory
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
65. Anti-Forensics - Traditional Techniques
Advanced Transformation
Detection Methods
• Advanced Transformation
Detection methods
• Detection of system call
hijacking
Copyright 2005 Seccuris Inc
66. Advanced Transformation Detection Methods
• Detection of system call hijacking
• System Call hijacking changes the address the
system references from a known module to
their own “attacker” module
• If an investigator can find inconsistencies in
programs making system calls they will be able to
detect an attack
Copyright 2005 Seccuris Inc
67. Advanced Transformation Detection Methods
• Advanced Transformation Detection methods
i f ( s y s e n t [ S YS _o p e n ] . s y _c a l l ! = o p e n )
pa ni c ( “ ope n s ys t e m c a l l ha s be e n hi - j a c ke d” ) ;
i f ( s y s e n t [ S YS _wr i t e ] . s y _c a l l ! = wr i t e )
p a n i c ( “ wr i t e s y s t e m c a l l h a s b e e n h i - j a c k e d ” ) ;
• Code snippet for the FreeBSD® operating system which
when executed in the context of the kernel, could be used
to detect the presence of a hi-jacked system call.
Copyright 2005 Seccuris Inc
68. Investigating – ServPro GmbH
• Cryptographic hashing for
data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
• Detection of system call
hijacking
Copyright 2005 Seccuris Inc
69. User Console
Identification
Config File Target File
User Level Service
Program
Kernel
Interface
Memory
Attacker
Program
ATTACK
Temp Log Temp File
DETECTED!
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
71. Anti-Forensics – Emerging Techniques
Emerging transformation
methods
• Hijacking of user space
library calls
Copyright 2005 Seccuris Inc
72. Dynamically Standard Libraries
Memory
Linked Libraries
• More efficient use of
system resources
• Loads from User Space
Dynamically Linked
• Multiple programs utilize Memory
same code libraries for
similar functions
• Attackers can change
program behavior without
modifying program or
libraries Copyright 2005 Seccuris Inc
75. Emerging transformation methods
• Hijacking of user space library calls
• Information Transformation
• Takes “Ugly / Untrusted” information and
makes it look “Good / Trusted”
• Scenarios
• System Logs
• Audit Logs
• Existing Files
• IDS
• FW
• Dynamic Review
Copyright 2005 Seccuris Inc
76. Emerging Techniques – Government Department
• Attacker identifies
vulnerability
• Breaks into system
• Installs User Space Module
for Shared Library Hi-jacking
• Creates automated system
to send out client information
• Avoids capture through
regular methods from
investigators
Copyright 2005 Seccuris Inc
77. User Console
Att
Attacker File
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Temp Log Temp File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
78. User Console
Identification
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Temp Log Temp File Attacker File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
79. Investigating – Government Department
• Cryptographic hashing for
data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
• Detection of system call
hijacking
Copyright 2005 Seccuris Inc
80. User Console
Identification
Temp Log Config File Shared Object File
User Level Service
Temp File Target File
No Attack
Log File
Program
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Temp Log Temp File Attacker File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
83. Emerging transformation detection methods
• Shared Library Analysis
• Analyze active processes to identify links to “Ugly /
untrusted” shared libraries.
• Using LSOF to analyze VMCORE
• Identifies if an untrusted object is being used by the
system
• Using objdump to analyze dynamic symbols
• Identifies which functions are being hijacked by the
untrusted object
Copyright 2005 Seccuris Inc
84. Investigating – Government Department
• Using LSOF to analyze
VMCORE
• Using objdump to analyze
dynamic symbols
Copyright 2005 Seccuris Inc
85. User Console
Identification
Temp Log Config File Shared Object File
User Level Service
Temp File Target File
Log File
ATTACK
Program
Kernel
DETECTED!
Interface
Memory
VMCORE File
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Temp Log Temp File Attacker File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
86. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
87. Current trends to watch
• Direct Kernel Hijack
• Concurrency Exploits
• Dynamic Firmware Attack
• Virtualization Attacks
Copyright 2005 Seccuris Inc
88. Direct Kernel Hijack
• Modifies live kernel instead of system calls
• Injection of malicious kernel code through /d e v /me m
or / d e v / k me m
• This isn’t new, but gaining popularity again…
• Tripwire, Execshied, PaX bypass standard in most kits
• Most script kits do not require root for proper execution on
Ubuntu, general Linux/BSD flavors
• Better detection of NOP sleds allowing for higher chance of
1st time success
Copyright 2005 Seccuris Inc
89. Concurrency Exploits & Race Conditions
• System call wrappers have been touted as the
answer to system call hijack.
• Concurrency exploits remove the effectiveness
of wrappers in multi-process systems
• More information
• http://www.watson.org/~robert/2007woot/20070806-
woot-concurrency.pdf
Copyright 2005 Seccuris Inc
91. Firmware Attack - Covert Channel
• Hijack of interrupts through firmware exploitation
• RAID / SATA drives increasingly vulnerable
• Automated exploit though dynamic firmware
update
• Hide I/O errors, misreport write commands,
reword strings being written to drive
Copyright 2005 Seccuris Inc
92. Virtualization Attacks
• The Blue Pill hype (and anti-hype)
• http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html
• Reported to be 100% undetectable malware
• On-the-fly installation of malware that “Traps & Emulates”
the original OS
• Timing, Memory & Hypervisor checks detect it…
• As hardware moves towards virtualization support this will
become a bigger concern
Copyright 2005 Seccuris Inc
93. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
94. Prevention Methods for the Real World
• Psychological Changes
• Be aware of this type of activity
• Process Changes
• Modify incident handling and forensic investigation
processes to test for this type of activity
• Architecture Changes
• Static Linking (back to the future!)
• Utilize trusted security architectures
• Cryptographic Execution Policy (CheckSums)
• Mandatory Access Control Frameworks
• FreeBSD Trusted Execution Policy
Copyright 2005 Seccuris Inc
95. Prevention Methods for the Real World
• Real world tools for detection available:
• RootKit Hook Analyser
• http://www.resplendence.com/hookanalyzer
• RootkitRevealer (Windows NT4 – 2003+)
• http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
• F-Secure BlackLight
• http://www.f-secure.co.uk/blacklight/blacklight.html
Copyright 2005 Seccuris Inc
96. Prevention Methods for the Real World
• Real world tools for prevention available:
• Tripwire
• http://www.tripwire.com/
• Third Brigage
• http://www.thirdbrigade.com/
• Anti-Rootkit software
• http://www.antirootkit.com/software/index.htm
Copyright 2005 Seccuris Inc
97. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
99. Conclusions
• Transformation attacks can falsely maintain an
investigator’s trust in a system preventing a
proper investigation from occurring
Copyright 2005 Seccuris Inc
100. Conclusions
• Awareness of anti-forensics and the techniques
required for identification will enhance our ability
to protect our organizations
Copyright 2005 Seccuris Inc
101. Thank-you
Michael Legary
Founder, Seccuris Inc.
(204) 255-4490
Michael.Legary@Seccuris.com
1-866-644-8442
www.seccuris.com
Copyright 2005 Seccuris Inc