Upload
others
View
38
Download
1
Embed Size (px)
Citation preview
F O R E N S I C S
I N C I D E N T R E S P O N S E
Source: www.cybersec.org
INTRODUCTION
• SaskTel Business Solutions• Digital Forensics
• Rick Lee – EnCE, GCFA, CISSP• Royal Canadian Mounted Police – 25 years
• Retired as the NCO i/c Saskatchewan Integrated Technological Crime Unit• C.S.I. Services Corp. – 12 years• SaskTel Corporate Security – 12.5 years• 20 years experience in Digital Forensics• Expert Witness
• Norm Rooney• Royal Canadian Mounted Police – 25 Years
• Retired as the NCO i/c Saskatchewan Integrated Technological Crime Unit• 13 years experience in Digital Forensics• Expert Witness
• Ryan Rupchan – GCFE• Newby
• Partners
AGENDA
• What is DFIR?• Why DFIR? • Digital Forensics• Incident Response• SaskTel Offerings
WHAT IS DIGITAL FORENSICS?
The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.
DIGITAL FORENSICS VS. COMPUTER FORENSICS
Computer Forensics is the original term for examining computers looking for evidence of wrong doing with the goal of presenting the evidence in a judicial hearing.
With the passing of time and the expanding role of digital devices in our life, the correct term now is Digital Forensics. Now we can locate digital evidence on computers, external storage devices, tablets, smart phones, vehicles and the list just continues to expand.
WHY DIGITAL FORENSICS
• Almost everything we do nowadays leaves some form of a digital trail, as a Digital Forensics Analyst our job is to know:
• What type of information is available, • where it is located and • be able to gather it in a forensically sound manner
• Then our job is to be able to explain what the evidence is saying in a manner that anyone would be able to understand
WHAT IS INCIDENT RESPONSE?
• Confirm whether or not an incident occurred
• Provide rapid detection and containment
• Prevent a disjointed, noncohesive response
• Determine and promote facts and actual information
• Minimize disruption to business and network operations
• Minimize the damage to the compromised organization
• Restore normal operations• Manage the public perception of
the incident• Allow for criminal or civil actions
against the perpetrators• Educate Senior management• Enhance the security posture of
a compromised entity against future incidents
Incident response is a coordinated and structured approach to go from incident detection to resolution. Incident response may include activities that:
TYPES OF INVESTIGATIONS
• Incident Response– Network Breach– Phishing Attack
• Criminal Investigations• Code of Conduct• Theft of Intellectual
Property• Executive Dismissals• e-Discovery
• Theft of funds, including bank access, credit card and wire fraud
• Privacy Breach• HR – Employee
Dismissal• Smart Phone Forensics• Computer Forensics• Malware Analysis
COMPUTER INVOLVEMENT IN A CRIME
• There are basically three ways a computer becomes involved in an investigation:
• The Computer as a Target:• In this case the computer is the target of the crime.• An example would be an intrusion investigation.
• The Computer as an Instrument in a Crime:• In this case the computer is being used to assist in the commission
of a crime.• An example would be accessing or distributing child pornography
• The Computer holds evidence of a Traditional Crime• This is a case where there may be incriminating evidence of a crime.• An example of this may be email between two subjects planning a
crime
SIZE DOES MATTER
• Size is increasing and cost is decreasing• Requires a change in mind set as to what we are going to collect
Source: www.mkomo.com
WHAT IS A TERABYTE??? (OUTSIDE THE BOX)
A Terabyte is approximately 2,084 pallets each containing 400 reams of 500 sheets of
paper.
which would take over 50 Semi-trucks to transport
ADVANCED PERSISTENT THREAT (APT)
• APT usually targets organizations and/or nations for business or political motives.
• APT processes require a high degree of covertness over a long period of time. • The APT successfully compromises any target it desires*• Conventional defenses are ineffective*• The "advanced" process signifies sophisticated techniques using malware to
exploit vulnerabilities in systems. • The "persistent" process suggests that an external command and
control system is continuously monitoring and extracting data from a specific target.
• The "threat" process indicates human involvement in orchestrating the attack.
An APT is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity:
* Source: Mandiant M-Trends – the advanced persistent threat (2010)
ADVANCED PERSISTENT THREAT - CHINA
• Early 2010 China Hacks the following: – Google, Adobe, Yahoo,
Symantec, Northrop Grumman, Dow Chemical, Juniper Networks, Rackspace
• Late 2010 China targets the following:– Government of Canada
Finance Dept, Toronto Law Offices, Saskatchewan Potash Companies, Government of Saskatchewan
Source: www.mandiant.com
M-TRENDS 2019 - CHINA
CROWDSTRIKE – BREAKOUT TIME
Source: CrowdStrike 2019 Global Threat Report
DIGITAL FORENSICS
• Digital Forensic Process
• New Trends in Digital Forensics
• Where’s the Evidence?
• The Tools We Use
THE DIGITAL FORENSIC PROCESS
Data Collection
Host Based Data Including Live DataForensic Duplications
Network Based Data
Other Data
InformationReview Relevant
Information
Data Processing
InformationReview
Leads
Minimize
LEGAL AUTHORITY TO EXAMINE EVIDENCE
• Before you start your investigation you need to ensure you have the legal authority to examine the evidence.
– Law Enforcement: This means either having a search warrant or the owner’s informed consent.
• Informed consent means knowing the implications of having the evidence examined and the possibility of being charged with a criminal offense.
– Corporate: This can be more difficult to establish as you need to consider the following:
• Is the item the property of the corporation?• Are their any expectations of privacy on the part of the user’s of the
system?– Is there a login banner indicating no expectation of privacy on the
part of the user which needs to be acknowledged prior to system usage?
DIGITAL FORENSIC PROCESS
• Evidence Collection– Chain of Custody– Forensic Image
• Evidence Examination– Identifying evidence
• Evidence Analysis– Analysis of the identified evidence
• Evidence Presentation– Court / Hearing– Client
Evidence Collection
Evidence Examination
Evidence Analysis
Evidence Presentation
NEW TRENDS IN DIGITAL FORENSICS
• Memory Analysis• Distributed Processing• Boot VM from image file from within Forensic Tool• Facial Recognition & Skin Tone image analysis• Character Recognition from Image Files• Enterprise Forensic Tools• Improved Tool Sets
• Open Source and Commercial• Vehicle Forensics• Mobile and Wearable Forensics
WHERE’S THE EVIDENCE?
• Computer Hard Drive (Old Standard)• Virtual machines• Alternate Data Streams• Steganography
• Memory (Computer’s)• External Storage (USB, Wifi, NAS, etc.)• Network Appliances• Cloud• Smart Phones
MEMORY CONTENT INCLUDES
• Internet History• Pictures• Chat• Email• MFT• Executables• Memory Resident Code• Unencrypted Data• Encryption Keys• Passwords
• OS Artifacts– Running Processes– Network Configuration
and Connections– IP Addresses– Log Files– Open Ports, Sockets and
Files
• And More– Network PCAP Captures
CELL PHONE FORENSICS
• Cellebrite– Device Info– Locations– Messages– Photographs– Call Log
– Calendar Entries– Contacts– Installed Apps– Activity Analytics– And More
Cell phones are ubiquitous and are an invaluable source of evidence which contains the user’s life history. Most of the Information is only available if you have access to the phone.
ACQUISITION OF THE EVIDENCE
• Collection of the evidence• Goal is to interact with the evidence as little as possible• 1980’s / 90’s law enforcement was trained to pull the plug from
the back of the computer when you arrived on the scene• Is there reason to believe the drive may be encrypted• Realization that volatile information was being lost changed
the process to doing a live response on the system then pull the plug
• Imaging of the evidence should be conducted in your controlled lab space
SOME OF OUR TOOLS
• EnCase Enterprise• Intella• Maltego 4• Internet Evidence Finder• Cellebrite UFED4PC• Forensic Explorer• Cyber Triage
OTHER FORENSIC TOOLS
• Forensic Suites– Axiom
• Windows Forensic Tools– F-Response– Passware– Log-MD
• Malware Analysis– Joe Sandbox
• Open Source Tools– Mandiant Highlighter– Mandiant Redline– Volatility– Rekall– RegRipper– 4n6Time
• Hardware– Digital Intelligence
• Server, Towers, Laptops• Write Blockers / Imaging
– Deepspar Disk Imager
INCIDENT RESPONSE OBJECTIVES
• The questions you need to answer:• Was this an actual attack?• Was the attack successful?• How did they get in?• What other assets were also compromised?• How are they able to persist in your network?• What did they do once they got in?• What needs to be contained, investigated and
remediated?
THE BREACH INVESTIGATION• Once you have determined there has
been a breach STOP looking for more information and bring in your forensic investigator / team.
• Create a forensic image of any compromised systems
• Retain all logs which may prove useful to your investigation
• Make notes of all pertinent information to the investigation and any actions taken on the compromised systems prior to bringing in your forensic investigator.
• Questions to answer:– Who, what, where, when, why and how
• Think about your communication plan.• Create a timeline using the
compromised systems, logs and any other available information
ATTACK LIFECYCLE
• Initial Compromise• Establish Foothold• Escalate Privileges• Internal
Reconnaissance
• Move Laterally• Maintain Presence• Complete Mission
Source: Incident Response & Computer Forensics, Third Edition
PHISHING ATTACKS - IT ONLY TAKES ONE
Humans are the most common cause of network breaches
INCIDENT DETECTION
1. IDS system detects remote attack2. Numerous failed logon attempts3. Logins into dormant or default accounts4. Activity occurred during non-working hours5. Presence of new accounts not created by the sysadmin6. Unfamiliar files or executable programs7. Unexplained elevation of privileges8. Altered pages on the web server9. Gaps or erasure of log files10. Slower system performance11. The system crashed12. Receive an extortion email13. Notified by upstream or downstream sites14. Child Pornography
IDS
End User
Help Desk
SysAdmins
Security
HumanResources
Mandiant’s M-Trends 2015 How Compromises are Being Detected: 31% by Internal Resources and 69% by an External Entity.
INCIDENT RESPONSE PROCESS
Preparation
Identification & Scoping
Eradication & Remediation
Lessons Learned & Follow Up
Containment & Intelligence Gathering
Recovery
P
I
C
E
R
L
PIPEDA - BREACH NOTIFICATION
• the circumstances of the breach and, if known, the cause;
• the date or period during which the breach occurred;
• the personal information that is the subject of the breach;
• an estimate of the number of individuals at a real risk of significant harm;
• the steps that the organization has taken to reduce risk or mitigate harm to individuals;
• the steps that the organization has taken or intends to take to notify affected individuals; and
• the name and contact information of a person who can answer, on behalf of the organization, the Commissioner's questions about the breach.
A report to the Commissioner must be made in writing and contain the following information:
PIPEDA (Personal Information Protection and Electronic Documents Act)
BEWARE THE “C.S.I. EFFECT”
• Managing Expectations– Contrary to popular belief (eg. CSI: Cyber) these investigations can’t be
solved in hours and you won’t typically find all of the evidence.
A WORD ABOUT LEGAL
• It is worth considering having any investigations, whether you do it internally or outsource the work, run through your legal department.
• This gives you the advantage of client / solicitor privilege.
• Your work becomes work product of your legal department and is not discoverable in a judicial hearing.
JOE SANDBOX - VISUALS
DIGITAL FORENSICS SERVICE OFFERINGS
Digital ForensicsInvestigationsEnvironment PreparationDigital Evidence
Incident ResponseBefore a breachDuring a breachAfter a breach (Executive briefings)
E-DiscoveryIdentificationPreservationCollectionProcessingReviewAnalysisProductionPresentation
Training2 x 3 day classes availableIncident Response TrainingOpen Source Intelligence
Awareness PresentationsDigital InvestigationsIncident ResponseSecurity
SASKTEL: DIGITAL FORENSICS
• Investigations• Covert Investigations• Online Investigations• Criminal Investigations
• Preparing environment for investigations
• Log Collection• Baseline Your Crown Jewels & Desktop Environment
• Installation of Agents
• Digital Evidence• Systems• System Memory• Smartphones
SASKTEL: INCIDENT RESPONSE
• Assist your business before a breach occurs:• Establish an Incident Response Plan
• Policies & Procedures• Review you Incident Response Plan• Table Top Exercises to test your Incident Response Plan• Incident Response Training
• Assist your business when the breach occurs:• Locate, Gather & Analyze the Evidence• Malware Analysis
• Assist your business after the breach has been remediated• Report findings to Executive
SASKTEL: TRAINING
• Incident Response Training• 3 Day Class
• Day 1 – Primarily lecture• CSIRT Structure• Incident Response
Building Blocks• Days 2 & 3 – Hands on
Windows• Live Response Kits• Windows Analysis• Practical Exercise
• Open Source Intelligence (OSINT)• 3 Day Class
• Going Beyond Google Searching
SASKTEL: ADVANTAGE
• Confidentiality• Documented processes
• NDA, Contract, Statement of Work, Chain of Custody
• Digital Forensic Analysts have government security clearances, extensive knowledge, and years of experience
• Professional quality lab space• Physically secure Digital Forensic office• Industry-standard Digital Forensic hardware & software• All work is completed locally
PROCESS TO ENGAGE SASKTEL’S DIGITAL FORENSICS GROUP
• Once we receive a call for work, we will come and meet with you and after signing a Non-Disclosure Agreement:
• Discuss your investigation / requirements• Develop a plan to address the issues discussed• SaskTel will then prepare a Statement of Work (SOW) and once
signed off by both parties the work begins.• SaskTel will keep the individuals identified in the SOW updated on the
progress of the investigation and the results of the analysis until the investigation is completed.
• SaskTel will prepare and present a report on the results of our analysis
• SaskTel Analyst will be available as required for any judicial hearings
“The Internet crime problem is going to get worse. How do I
know? Simple. There is always a percentage of the
population who are up to no good. As the entire population
moves to the Internet, so will the criminals.”
-Scott CharneyDepartment of Justice, Computer Crimes and Intellectual Property Section (USA)
Let’s start a conversation.Rick Lee | 1-844-691-1646 | [email protected]/digitalforensics