Forensics for the Defense

•Download as PPT, PDF•

0 likes•1,122 views

Forensic techniques are not just for law enforcement. You need to supplement your existing security package and provide evidence of due diligence in the event of an incident. Test your security before someone else does.

Technology

Tom Kopchak
Forensics for the Defense
(of your network)

•Who am I?
•Why am I here, and what
got me here?
•Why I am passionate
about computer security?
About the Presenter –
Who am I?

You do
"forensics"?!?
That sounds
awesome!!

The Truth
• Evidence can be hard to come by
• Any and all evidence must be carefully
accounted for and documented
• Cases involving movie-like circumstances are
few and far between

Forensics = Valuable
• Traditional - Law enforcement
• Emerging - Security

• Forensic Verification
• Forensic Penetration Testing
• Malware/Exploit/Breach Analysis
Practical Applications

Why Forensics?
• Security is not a checkbox
• Simulate attack
• Identify shortcomings

Forensic Verification
• Applications might store temporary/cached
data
• PCI implications

Test Configuration
• Control image
• Test Cases
• Analysis

Encrypted Laptop – Stolen!
It’s safe, right?

The Solution – Forensics
Penetration Testing
Zero Knowledge vs. Authenticated Testing

The Real Test
Fully Encrypted – Administrator Confidence 100%

Starting the Attack
Machine Powered Off – Full Disk Images Created

Breakthrough
• Grace period for pre-boot authentication lockout

Mounting the attack
Downgrade memory – Leverage DMA – Exploit OS
Result: Full Admin Access to Entire System

Failure of Encryption?
• Encryption Did Not Fail!
• Convenience vs. Security
• Zero knowledge attack

Forensics for the
Defense – One System
at a Time
• System vulnerabilities unknown until tested
• Forensic Penetration testing = same purpose as
traditional penetration test
• Learn and improve from mistakes

Conclusions
• Forensic techniques are
not just for law
enforcement
• Supplement your existing
security package
• Provide evidence of due
diligence in the event of an
incident
• Test your security before
someone else does

Taking a judge and jury through your investigative process, and why mobile evidence is relevant to your case, is only half of testimony. You should also be prepared to testify about the tools and methods you used, and to address any challenges to your process. This session will tell you what you need to know about mobile forensic extraction, analysis and interpretation; how to deal with questions about vendors’ proprietary methods; and specific challenges around mobile evidence authenticity and admissibility.

Interview Techniques for a Mobile Crime World

Cellebrite

Digital forensic investigators must increasingly wear more than one hat in an investigation, from seizure to examination to interviewing the victim or suspect. Whether you are an experienced investigator who has been trained in interview techniques, or a forensic examiner being asked to pull double duty as an interviewer, this class will give you the framework of skills you need to handle interviews specifically related to evidence you find on digital devices. We will discuss verbal communications in general and also discuss tried and true methodologies to enhance the chances of a confession.

ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloJohn Intindolo

Expp 03 technical_slidesRichard Pinner

Patent and patent searches an inventor perspective

Tyler James Johnson

Design and Analyze Secure Networked Systems - 1

Don Kim

Printer Security

Coastal Pet Products, Inc.

Security professionals must be aware of numerous attack vectors and threats that face their networks. All too often, some devices are forgotten or ignored. Printers are a staple of a corporate environment, and are frequently among the least secure elements of any network. Tom will explore the vulnerabilities associated with networked printers, potential attacks that can be leveraged using these devices, and solutions for mitigating and managing these threats. Presented by Tom Kopchak, Senior Engineer at Hurricane Labs.

Sounds of Security

Coastal Pet Products, Inc.

SNMP (Simple Network Management Protocol) is a great tool for monitoring, reporting and alerting on your network and is used by most enterprise level organizations. However it has a dark side. It can easily give away critical information about the system and the network. After showing how to enumerate this critical information and how it can be used in an attack, I will also discuss how to secure SNMP to prevent these kinds of attacks. This information will help those in enterprise IT security to better safeguard their SNMP from attack.

Attacking and Defending Full Disk Encryption

Coastal Pet Products, Inc.

One of your company's laptops was just stolen. You know that there was sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it? Many organizations are flocking to full disk encryption as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are neither properly configured nor adequately tested. In this talk, Tom will analyze the challenges associated with both attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including a case where a fully encrypted and powered down system was able to be fully compromised as part of a penetration test.

Lesson3 vitamins mineralswaterwschukraft

Beyond The Splunk App for Enterprise Security

Coastal Pet Products, Inc.

Domain Name System

Coastal Pet Products, Inc.

The Domain Name System (DNS) is a critical service for the operation of the Internet as we know it. Although the process of resolving human readable domain names into Internet-routable IP addresses may seem simple, this process is backed by a massive, globally-distributed database. The reliable functioning of this system impacts all users – from end users, to system administrators, to security professionals and event entire countries. Because of behavior and ubiquity of DNS, it has recently become a focus for attackers, especially as both a source and target for distributed denial of service (DDoS) attacks. In this presentation, Tom will provide an overview of the operation and design of the Domain Name System, focusing on both the global structure along with best practices for a local deployment. Security considerations will be a core component of the webinar, including an overview of recent attacks leveraging the fundamental operation of DNS along with improperly configured resolvers resulting in significant interruptions in Internet service.

Lesson3 planning fitnesswschukraft

Cloud Security: Ten Things

Coastal Pet Products, Inc.

If you're in IT, it's important to understand that your users are fully embracing the cloud. Understanding cloud security including how to utilize API calls safely and securely, the importance of Firewalls (yes, even in the cloud!) as well as ensuring redundancy and availability needs to be kept in the forefront of all cloud deployments. This presentation will help you to talk about cloud security in a non-confrontational way with your users.

Defense in Depth – Your Security Castle

Coastal Pet Products, Inc.

Enterprises face a wide range of threats across their information infrastructure. In order to protect critical systems and information, a comprehensive security approach is necessary. A single layer of defense cannot be considered adequate. Although no system can be considered absolutely secure, a multi-tiered security approach can effectively reduce the overall risk an organization must face. In this webinar, Tom will illustrate an effective security approach through the image of a castle. He will review many of the different defenses that can be deployed in unison to better secure a network from a range of threats. Tom will also provide examples of improvements that can be made leveraging existing controls to provide an overall increase in organizational security.

Big Data, Security Intelligence, (And Why I Hate This Title)

Coastal Pet Products, Inc.

Cyber Incident Response & Digital Forensics Lecture

Ollie Whitehouse

Competitive cyber security

William Mathews

Codebits 2010Tiago Henriques

Incident response, Hacker Techniques and Countermeasures

Jose L. Quiñones-Borrero

Cyber+Forensics.pdf

PankajKumar567425

Penetration testing must die

Security BSides London

BSidesLondon 20th April 2011 - Rory Mccune (@raesene) ----------- "Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK. Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do. So it's time for it to die. ------ for more info about Rory Mccune go to www.7elements.co.uk

A Journey Into Pen-tester land: Myths or Facts!

Ammar WK

Automation and open source turning the tide on the attackers

Frank Victory

TOPIC: Automation and Open Source, Turning the Tide on Attackers The security world is still trying figure out how to deal with the overwhelming number of security alerts and data deluge most SOCs are faced with and then turn them into intelligence that is useful and actionable. Throwing more people and tech at the problem has proven to be ineffective and costly. In this talk I walk through methods and tools (that you can actually employ) to turn the tide in your favor and create a security team that proactively deals with threats.

Viewers also liked

Encryption for Everyone

Coastal Pet Products, Inc.

TandemLaunch Technologies

Science fairbigjohnboy

Using Big Data for Security Alerting Coastal Pet Products, Inc.

Competitive Cyber Security

Coastal Pet Products, Inc.

SNMP & The Dark Side of the Force

Coastal Pet Products, Inc.

Attacking and Defending Full Disk Encryption

Coastal Pet Products, Inc.

Lesson3 vitamins mineralswaterwschukraft

Beyond The Splunk App for Enterprise Security

Coastal Pet Products, Inc.

Domain Name System

Coastal Pet Products, Inc.

Lesson3 planning fitnesswschukraft

Cloud Security: Ten Things

Coastal Pet Products, Inc.

Defense in Depth – Your Security Castle

Coastal Pet Products, Inc.

Big Data, Security Intelligence, (And Why I Hate This Title)

Coastal Pet Products, Inc.

Viewers also liked (14)

Encryption for Everyone

TandemLaunch Technologies

Science fair

Using Big Data for Security Alerting

Competitive Cyber Security

SNMP & The Dark Side of the Force

Attacking and Defending Full Disk Encryption

Lesson3 vitamins mineralswater

Beyond The Splunk App for Enterprise Security

Domain Name System

Lesson3 planning fitness

Cloud Security: Ten Things

Defense in Depth – Your Security Castle

Big Data, Security Intelligence, (And Why I Hate This Title)

Similar to Forensics for the Defense

Cyber Incident Response & Digital Forensics Lecture

Ollie Whitehouse

Competitive cyber security

William Mathews

Codebits 2010Tiago Henriques

Incident response, Hacker Techniques and Countermeasures

Jose L. Quiñones-Borrero

Cyber+Forensics.pdf

PankajKumar567425

Penetration testing must die

Security BSides London

A Journey Into Pen-tester land: Myths or Facts!

Ammar WK

Automation and open source turning the tide on the attackers

Frank Victory

Draft current state of digital forensic and data science

Damir Delija

In this presentation we will introduce current state of digital forensics, its positioning in general IT security and relations with data science and data analyses. Many strong links exist among this technical and scientific fields, usually this links are not taken into consideration. For data owners, forensic researchers and investigators this connections and data views presents additional hidden values.

Introduction to computer forensic

Online

Remote forensics fsec2016 delija draft

Damir Delija

Computer ForensicTawhidur Rahman

644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf

Gnanavi2

Vest Forensics presentation owasp benelux days 2012 leuvenMarc Hullegie

Ethical Hacking and Defense Penetration

Jay Nagar

The_Pentester_Blueprint.pdf

gcara4

50 Shades of RED: Stories from the “Playroom” from CONFidence 2014

Chris Nickerson

Ever steal a Boeing 777? How about transfer more than $400,000,000 from an account? Have you ever had one of those bad days where one wrong press of the “enter” key accidently broadcasts an emergency message to the radio station asking an entire city to evacuate? The real destruction of a business doesn’t come from a shell, a picked lock or a simple lie. The REAL threat is when all of the disciplines are combined and the only thing left in the crosshairs is the BUSINESS itself. Red Teaming is not a process of finding “A” vulnerability, but showing how flaws at EVERY level of the program combine to cause devastating effects to the company (or the tester =) ). After 15 years in the Red Teaming, Pen Testing and Security Testing Business, I have had some of the weirdest things happen. In this 50 min story time, I plan to go over our methodology, some of our BEST and WORST moments on the job, tips/tricks we picked up along the way and hopefully we can have a few laughs at our (mis)fortune(s).

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group

Getting started in digital forensics

Infosec

Digital forensics is the backbone of investigating cybercrime. It includes identifying, preserving, extracting, analyzing and reporting evidence across computers, mobile devices and networks. Join Keatron Evans, Infosec instructor and Managing Partner at KM Cyber Security, in this on-demand webinar as we discuss: - The difference between computer, mobile and network forensics - How a forensics certification can progress your career - A live cloud forensics demonstration voted on by attendees - Digital forensics questions from live attendees You can watch the full webinar, including the live cloud forensics demo, here: https://www2.infosecinstitute.com/l/12882/2019-03-12/chf2dr

Practical SME Security on a ShoestringNCC Group

Similar to Forensics for the Defense (20)

Cyber Incident Response & Digital Forensics Lecture

Competitive cyber security

Codebits 2010

Incident response, Hacker Techniques and Countermeasures

Cyber+Forensics.pdf

Penetration testing must die

A Journey Into Pen-tester land: Myths or Facts!

Automation and open source turning the tide on the attackers

Draft current state of digital forensic and data science

Introduction to computer forensic

Remote forensics fsec2016 delija draft

Computer Forensic

644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf

Vest Forensics presentation owasp benelux days 2012 leuven

Ethical Hacking and Defense Penetration

The_Pentester_Blueprint.pdf

50 Shades of RED: Stories from the “Playroom” from CONFidence 2014

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design

Getting started in digital forensics

Practical SME Security on a Shoestring

Recently uploaded

Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™

UiPathCommunity

In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni. 📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath: Autopilot per Studio Web Autopilot per Studio Autopilot per Apps Clipboard AI GenAI applicata alla Document Understanding 👨‍🏫👨‍💻 Speakers: Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath Andrei Tasca, RPA Solutions Team Lead @NTT Data

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

The Future of Platform Engineering

Jemma Hussein Allen

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Welocme to ViralQR, your best QR code generator.

ViralQR

Welcome to ViralQR, your best QR code generator available on the market! At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies. Our Vision We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide. Our Achievements Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes. Our Services At ViralQR, here is a comprehensive suite of services that caters to your very needs: Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses. Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding. Pricing and Packages Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service. Why choose us? ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations. Comprehensive Analytics Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country. So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!

Free Complete Python - A step towards Data Science

RinaMondal9

Recently uploaded (20)

Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Leading Change strategies and insights for effective change management pdf 1.pdf

The Future of Platform Engineering

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Elevating Tactical DDD Patterns Through Object Calisthenics

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Securing your Kubernetes cluster_ a step-by-step guide to success !

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

PHP Frameworks: I want to break free (IPC Berlin 2024)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

The Art of the Pitch: WordPress Relationships and Sales

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Introduction to CHERI technology - Cybersecurity

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Welocme to ViralQR, your best QR code generator.

Free Complete Python - A step towards Data Science

Forensics for the Defense

1. Tom Kopchak Forensics for the Defense (of your network)

2. •Who am I? •Why am I here, and what got me here? •Why I am passionate about computer security? About the Presenter – Who am I?

3. You do "forensics"?!? That sounds awesome!!

4. The Truth • Evidence can be hard to come by • Any and all evidence must be carefully accounted for and documented • Cases involving movie-like circumstances are few and far between

5. Forensics = Valuable • Traditional - Law enforcement • Emerging - Security

6. Traditional Forensics – Disks

7. Next Steps – Memory

8. Expanding the Scope

9. Leveraging Forensics for Business

10. Commonalities

11. Practical Applications

12. • Forensic Verification • Forensic Penetration Testing • Malware/Exploit/Breach Analysis Practical Applications

13. A word of caution... • Permission!

14. Why Forensics? • Security is not a checkbox • Simulate attack • Identify shortcomings

15. Forensic Verification • Applications might store temporary/cached data • PCI implications

16. Test Configuration • Control image • Test Cases • Analysis

17. Encrypted Laptop – Stolen! It’s safe, right?

18. The Solution – Forensics Penetration Testing Zero Knowledge vs. Authenticated Testing

19. The Real Test Fully Encrypted – Administrator Confidence 100%

20. Starting the Attack Machine Powered Off – Full Disk Images Created

21. Breakthrough • Grace period for pre-boot authentication lockout

22. Mounting the attack Downgrade memory – Leverage DMA – Exploit OS Result: Full Admin Access to Entire System

23. Failure of Encryption? • Encryption Did Not Fail! • Convenience vs. Security • Zero knowledge attack

24. Forensics for the Defense – One System at a Time • System vulnerabilities unknown until tested • Forensic Penetration testing = same purpose as traditional penetration test • Learn and improve from mistakes

25. Conclusions • Forensic techniques are not just for law enforcement • Supplement your existing security package • Provide evidence of due diligence in the event of an incident • Test your security before someone else does

26. Wrap Up/QA

Editor's Notes

Crime scenes and evidence, Bringing criminals to justice, Secret files on devicesNeatly laid out trail of evidence, Police chases, GunfireEverything solved by the end of the TV show - in 30 minutes or less (commercials not included, of course)
Law enforcement: Critical evidence in cases, Breaches/Cyber attacks Emerging - Security: Verification, penetration testing
"Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
Network forensics - much more information Search and web history, timing of requests and keystrokes, location data Sources - firewall logs, DNS logs, IDS logs, packet captures
Forensic techniques - more than just law enforcement - More flexibility - Experimenting with evidence may be desirable - Minimal legal issues, especially for research purposes
- Time consuming process - Requires attention to detail - Documentation! - Consider time involved when determining if necessary
-Verification - application analysis and verification -Pen testing - encrypted laptop -Malware/Exploit/Breach Analysis - be careful, legal concerns
-Consider legal ramifications, especially if there is a possibility of criminal activity -Know your limits -Involve law enforcement-Critical for malware/breach investigations
-Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
Application verification - Don’t trust the developer’s word!
For application verification -Control image - system with application, simplify system as much as possible -Test cases: run application, generate data -Analysis: Investigate application process/behavior - MAC times, search for interesting data
Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
-Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - company would not be able to determine information was stolen

Forensics for the Defense

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Similar to Forensics for the Defense

Similar to Forensics for the Defense (20)

Recently uploaded

Recently uploaded (20)

Forensics for the Defense

Editor's Notes