This document discusses counterforensics techniques used by insiders to evade detection. It describes how counterforensics is derived from counterintelligence and aims to prevent or thwart investigations. Common tactics discussed include hiding and concealing activities and data through steganography, encryption, and destroying evidence by deleting files and overwriting data. The document also recommends tools for user behavior monitoring and activity replay to help reveal hidden insider tracks.
OWASP is een wereldwijde non-profit organisatie, met een Nederlandse vestiging, die onder meer richtlijnen voor beveiliging biedt. IT Security Specialist Dave van Stein van KZA heeft op 26 juni een presentatie gegeveven
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
This paper explores two questions: What
methods can be used to deceive someone who is
in an investigative role into trusting an object
which has been exploited? What kind of impact
does operating system and application run-time
linking have on live investigations? After
experimenting with dynamic object
dependencies and kernel modules in the UNIX
environment, it is the opinion of the authors that
run-time linking can be exploited to alter the
execution of otherwise trusted objects. This can
be accomplished without having to modify the
objects themselves. If an investigator trusts an
inherently un-trusted object, it can result in the
possible misdirection of a digital investigation.
Two Days National Level Workshop on Network Security on Februrary 27th and 28th 2015 organzied by Department of Computer Science, Rathinam College of Arts and Science, Eachanari, Coimbatore.
The sessions are handled by Mr. Neeraj Kumar, Associate Consultant Information and Network Security, UTL Technologies, Banagalore.
The program was organized in association with UTL Technologies, Bangalore.
OWASP is een wereldwijde non-profit organisatie, met een Nederlandse vestiging, die onder meer richtlijnen voor beveiliging biedt. IT Security Specialist Dave van Stein van KZA heeft op 26 juni een presentatie gegeveven
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
This paper explores two questions: What
methods can be used to deceive someone who is
in an investigative role into trusting an object
which has been exploited? What kind of impact
does operating system and application run-time
linking have on live investigations? After
experimenting with dynamic object
dependencies and kernel modules in the UNIX
environment, it is the opinion of the authors that
run-time linking can be exploited to alter the
execution of otherwise trusted objects. This can
be accomplished without having to modify the
objects themselves. If an investigator trusts an
inherently un-trusted object, it can result in the
possible misdirection of a digital investigation.
Two Days National Level Workshop on Network Security on Februrary 27th and 28th 2015 organzied by Department of Computer Science, Rathinam College of Arts and Science, Eachanari, Coimbatore.
The sessions are handled by Mr. Neeraj Kumar, Associate Consultant Information and Network Security, UTL Technologies, Banagalore.
The program was organized in association with UTL Technologies, Bangalore.
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
Ransomware Has Evolved And So Should Your CompanyVeriato
Ransomware is typically initiated via phishing or social engineering tactics, these attacks often take advantage of human error for the successful delivery of the malware. These criminal organizations are impartial to the size of your organization. They target any company with data, and if you don't pay the ransom, your information could be posted to a public forum or sold on the Dark Web for profit. Most companies unfortunately are forced to pay due to system failure and file corruption.
The scariest about these methods is that the Ransomware doesn't need to be developed by the attackers. Ransomware services can now be purchased on the DarkWeb and used at the Cybercriminal's will (RAAS). As these Ransomware attacks and services evolve, how can companies arm themselves with the right solutions to defend themselves from these evergrowing attacks?
Join us in our latest webinar with Dr. Christine Izuakor (cybersecurity expert) and Jay Godse (head of product dev at Veriato).
What do your employees do all day? - Veriato + Digital BoardwalkVeriato
You can regain visibility and control. Veriato’s employee monitoring software provides visibility and productivity reporting so you can see who’s working hard… and who’s hardly working!
Join Digital Boardwalk and Veriato In this free webinar as we discuss:
Advanced Productivity Reporting – log-in times, application usage times, and more
Simplified software deployment for remote PCs and Macs
Fine Grain control over who and what is monitored
The compliance nightmares caused by remote workers and how to solve it
Keeping your valuable data safe, while it sits in your employees house
More Related Content
Similar to Veriato Counterforensics Webinar: How Insiders Evade Forensics and How to Reveal Their Hidden Tracks
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
Ransomware Has Evolved And So Should Your CompanyVeriato
Ransomware is typically initiated via phishing or social engineering tactics, these attacks often take advantage of human error for the successful delivery of the malware. These criminal organizations are impartial to the size of your organization. They target any company with data, and if you don't pay the ransom, your information could be posted to a public forum or sold on the Dark Web for profit. Most companies unfortunately are forced to pay due to system failure and file corruption.
The scariest about these methods is that the Ransomware doesn't need to be developed by the attackers. Ransomware services can now be purchased on the DarkWeb and used at the Cybercriminal's will (RAAS). As these Ransomware attacks and services evolve, how can companies arm themselves with the right solutions to defend themselves from these evergrowing attacks?
Join us in our latest webinar with Dr. Christine Izuakor (cybersecurity expert) and Jay Godse (head of product dev at Veriato).
What do your employees do all day? - Veriato + Digital BoardwalkVeriato
You can regain visibility and control. Veriato’s employee monitoring software provides visibility and productivity reporting so you can see who’s working hard… and who’s hardly working!
Join Digital Boardwalk and Veriato In this free webinar as we discuss:
Advanced Productivity Reporting – log-in times, application usage times, and more
Simplified software deployment for remote PCs and Macs
Fine Grain control over who and what is monitored
The compliance nightmares caused by remote workers and how to solve it
Keeping your valuable data safe, while it sits in your employees house
Extending CyberSecurity Beyond The Office PerimeterVeriato
The traditional office has now morphed into a hybrid model where most employees work remotely. The shift to remote work isn't entirely new. Between 2005 and 2018, there was a 173% increase in the US remote workforce.
This trend spiked significantly in 2020 when roughly 88% of organizations worldwide encouraged remote work to flatten the COVID-19 spread.
Join Dr. Christine Izuakor and Veriato's Head of Marketing, Pete Nourse In this free webinar as they discuss:
How corporate office perimeters continue to evolve in real-time as the world changes
Latest threats to organizations in and out of the office in the new year
Keeping your data and systems safe while they sit in your employees' house
A user-centric approach to extending security beyond the traditional office perimeter
Monitoring a hybrid workforce - veriato and priantoVeriato
The COVID-19 pandemic shift to remote working has created a unique time, and it’s provided you with a unique opportunity. Even if they haven’t asked you yet, your clients are wondering “How can I manage all of my remote employees?”
Now you have the answer for them with Veriato’s advanced Monitoring Solutions.
Fraud Detection With User Behavior AnalyticsVeriato
Data is currency online and on the dark web where social security numbers sell for $1 each, debit or credit card numbers as much as $110, and passports and medical records $1,000 or more. Without deep visibility into user activity within an organization, suspicious behaviors that signal fraud may go unnoticed and insiders can profit by selling your sensitive data.
How criminals extort businesses using RansomWare services from the DarkWeb.
One of the biggest trends in technology over the last decade has been the growth of subscription-based service models or "SaaS". Instead of installing software directly in corporate environments, companies providing customers with the ability to effectively rent access to services they need without dealing with development and maintenance.
Given the high demand for RansomWare in this day and age, creative cyber-criminal entrepreneurs followed this industry trend and created RansomWare As A Service (RaaS) to ease the burden of cyber attackers having to develop their own attacks.
Join Nick Cavalancia from Techvangelism and Cyber Security Expert, Dr. Christine Izuakor as we discuss:
How does RansomWare as a Service (RaaS) work?
Examples of RansomWare As A Service (RaaS) provider
If RaaS impacts you, what can you do?
RansomWare detection & protection tools
Many companies today are allowing employees to work remotely. A full third of companies allow some employees to work from home, with up to 25% of Americans telecommuting at least once a week.
With new communication technologies, remote employees are fully enabled to get their job done, no matter where they are. But how do we monitor remote employees?
Developing and executing an Insider Threat Program that aligns with corporate values and data sources, brings about some unique challenges and concerns.
Join Insider Threat expert, Jim Henderson from the Insider Threat Management Group and Nick Cavalancia from Techvangelism as they discuss:
Identifying key stakeholders
Defining an insider threat
Defining your organization’s critical assets
and vision for the insider threat
program and much, much more!
Implementing A User Activity & Behavior Monitoring ProgramVeriato
Security & Risk professionals recognize the value and benefits of analyzing user behavior and monitoring user activity.
At times, legal and HR staff have questions that must be addressed prior to implementation.
This Webinar is intended to assist companies in determining how to best implement a user activity monitoring and / or user behavior analytics program.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
3. What is Counterforensics?
aka - Anti-Forensics
Derived from Counterintelligence:
“activities designed to prevent or thwart spying, intelligence
gathering, and sabotage by an enemy or other foreign entity.”
Counterforensics
“activities designed to prevent or thwart forensics
investigations through data destruction, data and activity
concealment, deception or sabotage.”
5. Hiding/Concealing
Activities and Data
Steganography
Utilize common file
formats/channels – hide in
plain sight
File concatenation
File/data encryption
Encrypted comms channels
This Photo by Unknown Author is licensed under CC BY
6. Confidential
Video and image files typically are large enough to carry
additional data (e.g. messages, files)
Casual viewer will never know message/data is present
Can transport encrypted messages/data
Intended recipient can be difficult to identify
Anti-virus and endpoint security typically do not scan for
hidden messages
Why Steganography?
7. Confidential
# ping -p feedfacedeadbeef Dest-B
# tcpdump -i eth0 host Dest-B -x
21:03:32.601102 IP Source-A > Dest-B: icmp 64: echo request seq 56
0x0000: 4500 0054 0038 4000 4001 6e1c 4655 1fe9 E..T.8@.@.n.FU..
0x0010: 4655 1fc2 0800 8120 5006 0038 e414 9942 FU......P..8...B
0x0020: 142a 0900 feed face dead beef feed face .*..............
0x0030: dead beef feed face dead beef feed face ................
0x0040: dead beef feed face dead beef feed face ................
0x0050: dead ..
IPV4 Max Size 65535 bytes - headers = 65507 bytes for messages via ICMP
Concealed message in ICMP
8. Hiding Activities in Plain Sight
Google Chrome extension -
Netflix Hangouts
Watch Netflix at work,
while appearing to be on a
conference call
9. Hiding/Concealing
Activities and Data:
Encryption
Use of non-sanctioned encryption tools
to encrypt files and data
Use encryption tools to obscure
communications
Tor Browser or Tor proxy
Command line tools: OpenSSL, cryptcat
11. Deceptive Tactics
Alter timestamps/timelines
Alter logs or other data
Obfuscation of data, URLs, commands, etc.
C:>cmd.exe /c c^^a^^l^^c^^.^^e^^x^^e
Stolen credential use
13. Deleting Alone May Not Destroy the
Data
Filesystems usually free the location of a deleted file, but do not overwrite/destro
Email servers typically free the location of a deleted email, but do not
overwrite/destroy
Secure deletion can include:
Overwriting/wiping one or more times
Defragmenting
Overwriting/wiping all free and slack space
Webmail and SaaS products are typically under the control of the service provider
15. Sabotage
Denial Of Service (DOS)
Intentional malware/ransomware infection
Logic/time bombs
16. What can you do?
Visibility into activities when they happen
Full crime scene playback
Alert on suspicious activities
malicious application use
suspect website access
Tor Browser activity
17. What can you do?
Block access to unwanted sites and network
applications
Inventory sanctioned tools - know what is
allowed and by whom
disk encryption
data deletion policies
cloud file storage
Employee Monitoring & User Behavior
Analytics tools
18. User & Entity Behavioral Analytics (UEBA)
&
User Activity Monitoring (UAM)
19. Seeing
Exactly What Happened (UAM)
• Time-Capsule DVR video review
• See all onscreen actions
• Play it back like your DVR
• Export as BMP, JPG or AVI
Video Playback
20. Confidential
The Global Leader
Technology Financial Health
8
out of 10
7
out of 10
6
out of 10
in 110+ countries
In 3,000+ enterprises & thousands of SMBs
DeployedThe Biggest & Best
use Veriato
With Veriato’s Cerebral. It’s an end to end, integrated, insider threat intelligence platform.
Cerebral’s eyes on glass technology gives you immediate visibility, so you know exactly what’s going on. If the alert comes in at 9:35 am, security can immediately go back in time and cue up video of Joey’s screen from 30 minutes before the alert and watch everything he does. Is he just working on a big report or is he encrypting the data and hiding it in a PowerPoint presentation?
Do you give him a raise for working hard… or call HR and the police?
Now you know exactly what to do within minutes!