BSidesTO - Incident Response for Cheapskates

Tags:

Preview:

Click to see full reader

DESCRIPTION

My talk for BSides Toronto 2013 outlining the cost effective ways to conduct incident rest and digital forensics in the real world.

Citation preview

Incident Response Incident Response for Cheapskatesfor Cheapskates

Lee BrotherstonLee Brotherston

Let's define anLet's define an

IncidentIncident

Where can we Where can we

Improve?Improve?

HijackHijack Integrate with Integrate with

ExistingExistingprocessesprocesses

Roles &Roles &ResponsibilitiesResponsibilities

Determine theDetermine the

RulesRulesof engagementof engagement

LeverageLeverage existing existing

toolstools

Relationships andRelationships and

PoliticsPolitics

SIEM'lessSIEM'lessIntelligenceIntelligence

Live systemLive systemForensicsForensics

SniperSniperForensicsForensics

Memory Analysis withMemory Analysis with

VolatilityVolatility

The Sleuth Kit +The Sleuth Kit +

AutopsyAutopsy

But... Encase & hardwareBut... Encase & hardware

WriteWriteBlocker?Blocker?

Oxford SemiconductorOxford Semiconductor

OXUF922 Bridge ChipOXUF922 Bridge Chip

Oxford SemiconductorOxford Semiconductor

OXUF922 Bridge ChipOXUF922 Bridge Chip

AgereAgereFW801FW801AgereAgereFW801FW801

FlashFlashSSTSST

39VF10039VF100

FlashFlashSSTSST

39VF10039VF100

RAMRAMIDTIDT

71V016SA71V016SA

RAMRAMIDTIDT

71V016SA71V016SA

FirewireFirewireFirewireFirewire

USBUSBUSBUSB IDEIDEIDEIDE

Write Blocker DiagramWrite Blocker Diagram

ArmArmProcessorProcessor

OXUF922 Bridge ChipOXUF922 Bridge Chip

DMADMA1394 / USB / 1394 / USB / UART / IDE / UART / IDE / SerialSerial

QueueQueueManagerManager

RAMRAM ControlControl

Hardware Write BlockersHardware Write Blockers

Run Software!Run Software!

Attribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahon

Taking an image withTaking an image with

dc3dd / dddc3dd / dd

# parted /mnt/usbdsk/target0_img.dd # parted /mnt/usbdsk/target0_img.dd GNU Parted 2.3GNU Parted 2.3Using /mnt/usbdsk/target0_img.ddUsing /mnt/usbdsk/target0_img.ddWelcome to GNU Parted! Type 'help' to view a list of commands.Welcome to GNU Parted! Type 'help' to view a list of commands.(parted) unit(parted) unitUnit? [compact]? B Unit? [compact]? B (parted) print (parted) print Model: (file)Model: (file)Disk /mnt/usbdsk/target0_img.dd: 500107862016BDisk /mnt/usbdsk/target0_img.dd: 500107862016BSector size (logical/physical): 512B/512BSector size (logical/physical): 512B/512BPartition Table: msdosPartition Table: msdos

Number Start End Size Type FileNumber Start End Size Type File 1 1048576B 210763775B 209715200B primary ntfs1 1048576B 210763775B 209715200B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs2 210763776B 107586662399B 107375898624B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs3 107586662400B 479341645311B 371754982912B primary ntfs 4 479341645312B 500103450111B 20761804800B primary diag4 479341645312B 500103450111B 20761804800B primary diag

(parted) quit(parted) quit

# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/

# ls /mnt/image/# ls /mnt/image/pagefile.sys Program Files System Volumepagefile.sys Program Files System VolumeInformation Documents and Settings PerfLogsInformation Documents and Settings PerfLogsProgram Files (x86) Recovery UsersProgram Files (x86) Recovery UsersProgramData $Recycle.BinProgramData $Recycle.BinWindowsWindows

What about virtualisedWhat about virtualised

Environments?Environments?

Free Forensics ToolsFree Forensics Tools

vs Encasevs Encase

Data & File AnalysisData & File Analysis

ToolsTools

For starters tryFor starters try

C.A.IN.EC.A.IN.E(Linux LiveCD)(Linux LiveCD)

RemediationRemediationCleanup/Shutdown/ProsecuteCleanup/Shutdown/Prosecute

Lessons Learned. Let'sLessons Learned. Let's

Market!Market!

Thank youThank youAny Questions?Any Questions?

Lee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - lee@nerds.org.uklee@nerds.org.ukLee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - lee@nerds.org.uklee@nerds.org.uk

Some Things I MentionedSome Things I Mentioned● Flow-tools: Flow-tools: http://www.splintered.net/sw/flow-http://www.splintered.net/sw/flow-tools/tools/

● Sleuthkit & Autopsy: Sleuthkit & Autopsy: http://www.sleuthkit.org/http://www.sleuthkit.org/

● Volatility: Volatility: https://www.volatilesystems.com/defaulthttps://www.volatilesystems.com/default/volatility/volatility

● C.A.IN.E:C.A.IN.E:

http://www.caine-live.net/http://www.caine-live.net/

● Dc3dd: Dc3dd: http://sourceforge.net/projects/dc3dd/http://sourceforge.net/projects/dc3dd/

Recommended

Business Resilience & Incident Response Are You Ready? · Resilience & Incident Response ... Business Resilience & Incident Response ... Business Resilience & Incident Response Are
Documents
Incident Response Incident Response Process Forensics
Documents
데이터시트: 태니엄 Incident Response / Datasheet: Tanium Incident Response
Software
Incident Response and Forensic Prepardness - ACUIA.org - Incident Response... · Incident Response and Forensic Preparedness ... and intrusion detection and antivirus products
Documents
POLLUTION INCIDENT RESPONSE MANAGEMENT PLAN FOR …danielsinternational.com.au/.../pollution-incident-response-plan.pdf · CONFIDENTIAL & PROPRIETARY | POLLUTION INCIDENT RESPONSE
Documents
California-Joint Cyber Incident Response Guide Cyber Incident...Feb 27, 2018  · Incident Response Lifecycle A security incident response capability will be developed and implemented
Documents
Data Breach IncIDent response plan toolkIt · Incident Response Team 3 Incident Response Contact Sheet 4 Suspecting or Detecting an Incident 5 Incident Response Discovery Form 6 Incident
Documents
Lesson 5 Introduction to Incident Response. UTSA IS 6353 Incident Response Overview Hacker Lexicon Incident Response
Documents
Incident Response Plan - Spearstonespearstone.com/resources/Breach_Response_Plan_by_AICPA.pdf · 4 Table of Contents Incident Response Plan 6 Incident Response Team 6 Incident Response
Documents
Improving Incident Response Incident Response Agenda Why Incident Response is Important Threats, Numbers, Traditional Response What is an Incident
Documents
CrowdStrike Services CROWDSTRIKE INCIDENT RESPONSE AND PROACTIVE …€¦ · CrowdStrike Incident Response & Proactive Services. 01 AM I BREACHED? INCIDENT RESPONSE The CrowdStrike
Documents
RSA Incident Response: Emerging Threat Profile€¦ · RSA Incident Response incident response RSA Incident Response: Emerging Threat Profile . Shell_Crew . January 2014
Documents
TRAUMATIC INCIDENT RESPONSE PROGRAM …Traumatic Incident Response Program Manual March 2014 2 SECU State Employees' Credit Union TIR Traumatic Incident Response TIRC Traumatic Incident
Documents
Communication Strategies for Incident Response - · PDF fileEffective incident response requires more than notification technologies. Real-time collaboration among incident response
Documents
Incident Response - so reagieren Sie richtig...Incident Response - so reagieren Sie richtig Author Christoph Baumgartner - OneConsult GmbH Subject Incident Response Keywords Incident
Documents
PPC for Cheapskates
Technology
Incident response cloud
Technology
Incident Response
Technology
INCIDENT RESPONSE ACTIVITY - ICS-CERT · 2017-01-09 · INCIDENT RESPONSE ACTIVITY. INDUSTRIAL CONTROL SYSTEMS. CYBER EMERGENCY RESPONSE TEAM. INCIDENT RESPONSE ACTIVITY. SITUATIONAL
Documents
Incident Totals Incident Type Response per District
Documents