drc security meeting_david
DESCRIPTION
Presentation about Malware Analysis and Digital Forensics as a way to detect and dissect Malware.TRANSCRIPT
Security MeetingMalware Analysis, Disaster Recover & SIEM
PortugalSuíça
MoçambiqueAngola
Austrália
Speaker: David Marques
16th March 2012
Data Recover Center
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
History• Founded in 1989
• 1998: Data Recovery
• 2006: Digital Forensics
•2009: Consulting & Monitoring
Data Recover Center
Digital Forensics (Computer Forensics)
Definition: Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Forensics (Computer Forensics)
Applications: Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. Forensics may also feature in the private sector; such as during internal corporate investigations or intrusion investigation (a specialist probe into the nature and extent of an unauthorized network intrusion).
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
MalwareDefinition: Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
MalwarePredictions 2012:
• Targeted attacks grow more damaging and complex• Illicit social media scams escalate• Mobile Malware menaces users and organizations• Compromised websites serving malicious contents
accelerates• Major sport events draw major cyber attacks• Attacks on Cloud Services inevitable
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
Definition: Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
ACPO Guidelines: Good practice guide for computer based electronic evidence.
ACPO – Association of Chief Police Officers (England; Wales; Northern Ireland)
7Safe – www.7safe.com
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Digital Evidence
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
ACPO vs Malware
Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.Malware: Eg: RAM Capture
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Trojan Defense
Defense: My computer has in fact been used to commit a crime, but I wasn’t the responsible for any of the actions I’m being charged for. My computer might had a Trojan (or other Malware) installed by someone else without my knowledge, and has been used to commit a crime.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Trojan Defense 2
Defense: My computer has in fact been used to commit a crime, but I wasn’t the responsible for any of the actions I’m being charged for. My computer might had a Trojan (or other Malware) installed by someone else without my knowledge, and has been used to commit a crime. Even if the Malware was not found on a Forensic Analysis, it could be that the Malware was only on RAM.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Evidence Collection
Steps: - Non Digital environment- Freeze the crime scene
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Evidence Collection
Steps: - Pictures & Stickers- Forensic Image- Hash
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Evidence Manipulation
What not to do: - Turn device on and boot it- Boot device in another computer- Run antivirus- Open files and applications- Install applications and copy files into own device
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Evidence ManipulationChain of custody: refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Malware Analysis
Why it is so hard to find Malware creators and users?
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Malware AnalysisMalware:
- Forensic imaging; logs; etc.- Privacy issues- Reverse Engineering- Find evidence of relation between victim and
attacker- Find geographic location- Cooperation between countries- Coordination between ISP’s- Locate attacker & Evidence
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Malware Analysis
Future?
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt
Data Recover Center
Thanks! Q & A?
David Marques
Lisboa Telefone: 707 200 017 E-Mail: [email protected] Website: www.drc.pt