(120804) #fitalk field device
TRANSCRIPT
FORENSIC INSIGHT SEMINAR
Discussionyk #1 : Field device
ykei
ykei.egloos.com
@ykx100
forensicinsight.org Page 2 / 21
개요
1. Background
2. Problems
3. When I met SCADA
4. Discussion topic
forensicinsight.org Page 3 / 21
Background
- What is a field device
- Why we need to care this
forensicinsight.org Page 4 / 21
Background
What is a field device in here?
forensicinsight.org Page 5 / 21
Background
Why we need to care this?
Fxxk the mass-media
Have to cross check → Be trustworthy
For find the smoking-bit (specially, manipulate digital evidence)
no way without this
Ma j o r t h r e a t f o r e n s i c a t o r s
forensicinsight.org Page 6 / 21
Problems
- Issues that I met
- Example
forensicinsight.org Page 7 / 21
Problems
Issues If
Interfaces It hasn’t usb, cdrom, display, keyboard, ethernet
FileSystem Mount Do not support NTFS? or trouble in recognize
OS Compatibility tools No excutable imaging tool, even DD
The risk of system failure We have no time for verification situation.
Capacity / Time Another headache factors
Of c ou r s e , w e h a ve t o k e ep i n t e g r i t y o f e v i d en c e ! Can you a c c omp l i s hmen t t h i s m i s s i o n ?
forensicinsight.org Page 8 / 21
Problems
Examples
Router / Switch
• Telnet, Console Connection
• But No Imaging tools
Home Router (Wire, Wireless)
• Telnet, Web Admin
• No Imaging tools (but It can be execute static DD binary)
Home SCADA
• Nothing !! Just opened stupid console
forensicinsight.org Page 9 / 21
When I met SCADA
- Case Studyk
forensicinsight.org Page 10 / 21
I Thinks… case
Case Studyk
forensicinsight.org Page 11 / 21
When I met SCADA
Case Studyk
forensicinsight.org Page 12 / 21
When I met SCADA
Case Studyk
Prepare
forensicinsight.org Page 13 / 21
When I met SCADA
Case Studyk
See pic…
Sorry
forensicinsight.org Page 14 / 21
When I met SCADA
Case Studyk
Log
forensicinsight.org Page 15 / 21
When I met SCADA
Case Studyk
Test
forensicinsight.org Page 16 / 21
When I met SCADA
Case Studyk
Vaccine
forensicinsight.org Page 17 / 21
When I met SCADA
Case Studyk
Un-detect malware
forensicinsight.org Page 18 / 21
When I met SCADA
Case Studyk
detect malwares
forensicinsight.org Page 19 / 21
When I met SCADA
Case Studyk
Remote Control
• RDP, Neturo
forensicinsight.org Page 20 / 21
Discussion topic
forensicinsight.org Page 21 / 21
Discussion topic
Case Studyk
What is the data for forensicators?
Disk / Memory Image? Log files?
How can we more preserve evidence?
• Imaging is very ideal option.
• FTP? / File copy?
How can we keep integrity for chain of custody?
• File Hash? / Documents(kind of agreements?) / Burning CD?
How can we acquire field device?
• Router, Gateway, Switch, Home network device, even SCADA?
• Forensic Acquisition tools? / DD? / file copy? / Cold imaging?