This document contains the summary of a presentation on real time forensics. It discusses how real time forensics can uncover the culprit while the evidence is still fresh by finding out what was damaged or stolen, the attack method used, where data was sent, and allowing recovery of compromised systems. It also examines what it would take to implement real time forensics across an entire enterprise system in real time.

1. Session ID:
Session Classification:
Bruce Snell
McAfee
SPO2-W23B
General Interest
Real Time Forensics:
Uncoverthe culpritwhile the body is still
warm

2. ► Find out what was damaged/stolen
► Find out what attack was used
► Find out where data was sent
► Recovery of compromised systems
What do we accomplish with Forensics?

3. ► Find out what was damaged/stolen
► Know who we need to notify
► Recover lost/damaged systems
► Better prepare defense for next time
What do we accomplish with Forensics?

4. ► Find out what was attack was used
► Reporting
► Otaku factor
What do we accomplish with Forensics?

5. ► Find out where the data was sent
► Aid in investigation by authorities
► Strengthen defense against future attacks
What do we accomplish with Forensics?

6. ► Recovery of compromised systems
► Identify which systems are impacted
► Costly physical recovery typically needed
What do we accomplish with Forensics?

7. ► …to provide real time forensics?
What would it take…

8. ► Every machine?
► In your entire Enterprise
► With the exact state information?
► Go!
Can you grab data from…

9. ► Multiple vulnerabilities exposed in Adobe Flash
► CVE-2013-0633
► Used in targeted attacks, disguised as Word email attachment
► Contains malicious Flash content
► Buffer overflow
► CVE-2013-0634
► Exploit reported by Lockheed Martin, MITRE and others, suggesting
targeted industrial espionage
► Memory corruption
Scenario…

10. How do you react?

11. Demo

12. P2P Speed
zone server
command
server
continuous connection

13. Questions?