· log files, user documents, file share data •files are not locked by another process...
TRANSCRIPT
![Page 1: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/1.jpg)
![Page 2: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/2.jpg)
![Page 3: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/3.jpg)
![Page 4: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/4.jpg)
![Page 5: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/5.jpg)
![Page 6: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/6.jpg)
Wanted: Dead or Alive
Tips, Reminders and Use Cases for Live vs. Dead Box Imaging
![Page 7: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/7.jpg)
Caveats
• These methodologies are mine
• Not inflexible
• Methods might vary based on value of target
– baseline is a routine civil collection
![Page 8: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/8.jpg)
Dead Drive Imaging
• OS not interacting with volume (not system volume)
• OK to boot hardware RAID
• Typically easiest to do “forensically” and “defensibly”
![Page 9: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/9.jpg)
Live Imaging
Imaging software is run on system that can interact with target
Software Solutions
• Forensic Enterprise Software – F-Response, Encase Enterprise, FTK Enterprise,
etc.
• Live imaging host software – FTK Imager, dclfdd, etc.
![Page 10: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/10.jpg)
Less-Than-Forensic
Administrative, built-in file manipulation:
• Robocopy
• Windows Copy
• 3rd party non-forensic tools
Note: Using these methods do not change need for documentation/Chain of Custody
![Page 11: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/11.jpg)
Major Decisions
• What’s the platform?
• What is the target data?
• Are applications running or stopped?
• How much change is likely to occur to a system during imaging process?
![Page 12: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/12.jpg)
General Protocols
In order from least to most proof of integrity
• Application Data Dumps
• Forensic/Non-Forensic File Copy
• Live Logical Image
• Live Physical Image
• Dead Drive Image
![Page 13: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/13.jpg)
When I Do Application Data Dumps
Databases, Email Servers, Financial Applications
• Includes use of 3rd party live extraction tools
• Whenever possible AND
– Integrity of target data is not in doubt
– Server cannot be taken down
– Data requires intensive manipulation to get into equivalent format
– Output is suitable for its purpose
![Page 14: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/14.jpg)
When I do File Copies
Log Files, User Documents, File Share Data
• Files are not locked by another process
• Interaction with operating system/file system is not a component of investigation
• Media is very large and data needed is much smaller - payoff
• Deleted files are not of concern
• Unallocated space is useless
![Page 15: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/15.jpg)
Live Partition and Drive Collection & “Image Blur”
• $MFT Data Read Early
• Data of importance can: – Grow
– Shrink
– Move
– Be Created
• Results in apparent corruption
![Page 16: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/16.jpg)
When I Do Live Logical Images
• System cannot be brought offline
• Enterprise agent-based collection
• System is already on (don’t forget the memory dump if needed)
• Blur, corruption of changing data is not a problem
• Physical disk is encrypted
• MBR, unused disk space is not of concern
![Page 17: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/17.jpg)
When I Do Live Physical Images
• System cannot be brought offline
• Enterprise agent-based collection
• System is already on (don’t forget the memory dump if needed)
• Blur, corruption of changing data is not a problem
• Physical disk is encrypted
• MBR, unused disk space is not of concern
![Page 18: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/18.jpg)
When I do Dead Box Imaging
• System is off on arrival, even if I intend to do a logical image too
• After Logical Image
• After Memory Dump
• Defendability: • Same hash across multiple images of the same device
• Usually “best evidence”
• Logical partition image if SSD drive if hashes must match across multiple images
![Page 19: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/19.jpg)
![Page 20: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/20.jpg)
THE E-DISCOVERY & FORENSICS
BALANCING ACT Stacey Randolph Edwards
June 10, 2014
![Page 21: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/21.jpg)
E-DISCOVERY
• What is it?
• What does a client think e-discovery is?
• What does a forensics/e-discovery firm think e-discovery is?
![Page 22: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/22.jpg)
FORENSICS
• What is it?
• What does a client think digital forensics is?
• What does a forensics/e-discovery firm think digital
forensics is?
![Page 23: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/23.jpg)
CLIENT REQUEST
“We need to collect, search,
and produce ALL of the data!”
What is ALL of the data?
![Page 24: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/24.jpg)
QUESTIONS TO ASK CLIENT
• Do you have a court order?
• Do you have all parties identified?
• Do you know how your data is stored?
• Do you need deleted data?
• Do you need searches performed over the data?
• Do you need analysis performed on the data?
![Page 25: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/25.jpg)
IDENTIFYING SOURCES
Human Component
• Court order
• Interviews
Data Component
• Servers
• Computers
• Cloud
• USB/Externals
• BYOD
![Page 26: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/26.jpg)
SEARCHING & PROCESSING
SEARCHING
• Active Files
• Deleted Files
• System Files
• User Documents
• Special Programs
PROCESSING
• Emails
• Documents
• Special Files
• OCR
• Unreadable Files
• Infected Files
![Page 27: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/27.jpg)
DELIVERABLES
• Bates Numbers & Format
• DocID Numbers & Format
• Stamping
• Page numbers
• Bates/DocID
• Confidential
• Special Requests
• Native Files
• TIFF Files
• PDF Files
• Specific Program
• Concordance
• Summation
![Page 28: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/28.jpg)
IDENTIFICATION
E-discovery
or
Forensics?
![Page 29: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/29.jpg)
CONTACT INFORMATION
COMPANY
The Sylint Group
Sarasota, FL
(941) 951-6015
SOCIAL MEDIA
Twitter: @4n6woman
LinkedIn: Stacey Randolph
![Page 30: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/30.jpg)
![Page 31: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/31.jpg)
HOW BAD GUYS STEAL
STUFF Jonathan Spruill
Senior Security Consultant, SpiderLabs
![Page 32: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/32.jpg)
NEW
![Page 33: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/33.jpg)
![Page 34: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/34.jpg)
![Page 35: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/35.jpg)
![Page 36: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/36.jpg)
![Page 37: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/37.jpg)
![Page 38: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/38.jpg)
![Page 39: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/39.jpg)
![Page 40: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/40.jpg)
![Page 41: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/41.jpg)
![Page 42: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/42.jpg)
![Page 43: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/43.jpg)
![Page 44: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/44.jpg)
![Page 45: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/45.jpg)
![Page 46: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/46.jpg)
![Page 47: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/47.jpg)
![Page 48: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/48.jpg)
![Page 49: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/49.jpg)
![Page 50: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/50.jpg)
![Page 51: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/51.jpg)
![Page 52: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/52.jpg)
![Page 53: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/53.jpg)
![Page 54: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/54.jpg)
![Page 55: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/55.jpg)
![Page 56: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/56.jpg)
![Page 57: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/57.jpg)
![Page 58: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/58.jpg)
![Page 59: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/59.jpg)
![Page 60: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/60.jpg)
![Page 61: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/61.jpg)
![Page 62: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/62.jpg)
DNS Hunting Like a Boss
Hid.den.net a2d5xiiop8sstun34thxvm.ru
![Page 63: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/63.jpg)
Pete Hainlen
•Threat Analyst, CISSP
•Developer for 4 years
•Sysadmin for 11 years
•Security for 2 years
•Host and network forensics, incident response, proactive hunting
![Page 64: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/64.jpg)
What’s the Big Deal
•Malware goes undetected by antivirus or IDS
Picture Source: http://www.funnyjunk.com/funny_pictures/296361/the/
“The least-detected malware … went undetected by the majority of AV scanners for months, and in some cases was never detected at all.”
Quote source: http://securityaffairs.co/wordpress/25385/malware/zero-day-malware-detection.html
![Page 65: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/65.jpg)
Why DNS? •All domain name resolutions are
logged
•Easy to pick out the bad stuff
•Augments current detection mechanisms
•It’s cool to impress your boss
![Page 66: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/66.jpg)
Issues •Scalability
•28k per minute
•50 million++ DNS requests daily
•100,000++ endpoints
•DNS Aggregation
![Page 67: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/67.jpg)
Techniques •SIEM data export or syslog
•Batch vs. Realtime
•Scripting
•Python, PowerShell
•Reporting
•HTML, CSV
![Page 68: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/68.jpg)
Filter •Only DNS queries with periods
•Known TLDs: com, edu, net
•Only external domains
•Domains you don’t own
•Whitelist: top talkers, trusted domains
![Page 69: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/69.jpg)
Identify
• Threat intelligence Domains
• HR policy violation Domains (porn)
• Phishing Domains
• Contains: update, helpdesk, admin, account
• helpdesk-updateweb2014.org
• Contains: company name derivative
• your-company-password-update.info
• Contains: Elevate if 1 or more dashes or .info TLD
• Dynamic DNS: kuozbcwo.servequake.com
• Free DNS: qwfrjalii.freehostia.com
• Suspicious TLD’s: .cc, .cn, .ru, .su
![Page 70: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/70.jpg)
Domain Generation Algorithms
•Malware authors use so they don’t get sinkholed
•Domains containing more than 3 digits
•g4bnv35fw9p.info
• [regex]::matches($FQDN,"[0-9]").count
•Lengthy DNS names –ge 20
• ipudklsbqlddihalssdkhfbpshkd.ru
•1-hit wonders
![Page 71: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/71.jpg)
Results
• Filtering 50 million++ DNS queries per day down to 1,000 candidate domains
• Not a week has gone by that we haven’t detected threats missed by antivirus
![Page 72: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/72.jpg)
Thanks for your time.
@phainlen
![Page 73: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/73.jpg)
![Page 74: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/74.jpg)
Andrew Hay, Sr. Security Research Lead &
Evangelist, OpenDNS
![Page 75: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/75.jpg)
Common Thought…
I wonder if we knew
about (and collected)
all of the Internet-
enabled devices
pertinent to this case?
![Page 76: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/76.jpg)
Introduction
● Prove Internet of Things (IoT) usage, within
a location, based on DNS queries
● The Taxonomy
● Next Steps
![Page 77: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/77.jpg)
Source of Information
Paying Security
Customers
Queries Per Day
Daily Active Users
10k+ 50b+ 50m+
![Page 78: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/78.jpg)
OpenDNS IoT Taxonomy (Io2T)
![Page 79: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/79.jpg)
● Fitness o FitBit, scales, etc.
● Toys o Helicopters, children’s tablets, etc.
● Gadgets o Video and still cameras
Personal Electronics
![Page 80: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/80.jpg)
Personal Electronics: Examples
![Page 81: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/81.jpg)
Personal Electronics: Examples
api.nike.com
wd2go.com
![Page 82: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/82.jpg)
Consumer Appliances
● Large appliances o Refrigerators, stoves, etc.
● Small appliances o Toasters, blenders, etc.
● Entertainment o Televisions, media players, game
consoles, etc.
![Page 83: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/83.jpg)
Consumer Appliances: Examples
![Page 84: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/84.jpg)
Consumer Appliances: Examples
live.xbox.com
mysmartappliances.com (Whirlpool)
![Page 85: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/85.jpg)
● External Home o e.g. lawn maintenance devices
● Power management
● Heating, ventilation, and air
conditioning (HVAC)
Home Automation
![Page 86: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/86.jpg)
Home Automation: Examples
![Page 87: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/87.jpg)
Home Automation: Examples
cloud.irrigationcaddy.com
production.nest.com
![Page 88: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/88.jpg)
Security & Monitoring
● Audio/Video o Cameras
o Baby monitors
● Physical locks
● Alarm systems
● Environmental monitors
o flood, CO2, and fire detection
![Page 89: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/89.jpg)
Security & Monitoring: Examples
![Page 90: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/90.jpg)
Security & Monitoring: Examples
signal.mydlink.com
api.lockitron.com
![Page 91: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/91.jpg)
Home/Work Wall Eroding
erosion
erosion
![Page 92: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/92.jpg)
A Word About Refresh Cycles…
Source: National Association of Home Builders / Bank of America Home Equity Study of Life
expectancy of Home Components – 2007
http://www.nahb.org/fileUpload_details.aspx?contentID=99359
![Page 93: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/93.jpg)
Productizing Research
● Identify and categorize IoT domains into
Umbrella
● Create community for IoT telemetry
submissions o e.g. PCAPs, IPs, domains, URLs, etc.
● Provide access to Law Enforcement and
DFIR community o Open IoT Database
![Page 95: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/95.jpg)
![Page 96: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/96.jpg)
False Positive: The Eye of the Biased
Examiner
Alissa Torres
SANS Institute [email protected]
@sibertor
![Page 97: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/97.jpg)
“The eyes are not responsible when the
mind does the seeing”
- Plubilius Syrus
![Page 98: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/98.jpg)
• An inclination to present or hold a partial
perspective at the expense of (possibly
equally valid) alternatives
• Part of human nature - based on how our
brains subconsciously make decisions
• Bias has negative impacts on how we
process data and can lead to inaccurate
findings
What is Bias?
![Page 99: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/99.jpg)
Problems with ambiguity
![Page 100: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/100.jpg)
• The tendency to search
for or interpret information
in a way that confirms
one’s preconceptions or
favored theory
• When an investigator
seeks evidence in a effort
to support existing beliefs
How does Bias Affect Investigations?
Confirmation Bias
![Page 101: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/101.jpg)
• Effects of Outside Influences
• “Start from scratch with your research.
Don’t assume the current tools and
books are right.”
- Dan Pullega “Dr. Shellbags”
How does Bias Affect Investigations?
Anchoring
![Page 102: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/102.jpg)
• Basing conclusions on past experiences,
assuming current case will match patterns
of past investigations
How does Bias Affect Investigations?
Availability
![Page 103: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/103.jpg)
How does Bias Affect Investigations?
Loyalty to the Tool
• “Don’t let your tools make you stupid”
- Troy Larson
![Page 104: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/104.jpg)
Strategies to Avoid Bias
• Raise Awareness.
• Admit it.
• Change the process.
• Make alternative perspectives OK.
• Seek creativity rather than consensus.
![Page 105: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/105.jpg)
![Page 106: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/106.jpg)
![Page 107: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/107.jpg)
Day Title © 2013 SANS
Forensics Survivor: What artifacts aren’t being
voted off the island?
Jake Williams
@MalwareJake
![Page 108: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/108.jpg)
Day Title © 2013 SANS
$whoami
• I only have SIX MINUTES (!?!?) to deliver this whole talk, come talk to me after if you care
![Page 109: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/109.jpg)
Day Title © 2013 SANS
What’s this all about?
• Every time I turn around, there are more and more “critical” forensics techniques to apply
– Where will it end?
• Every new technique can’t be a “must do”
• Clearly it’s time to vote some off the island!
– Survivor style!
![Page 110: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/110.jpg)
Day Title © 2013 SANS
Mud Volleyball?
• Do they really play volleyball on Survivor???
http://www.today.com/id/33080832/ns/today-today_entertainment/t/survivor-not-harmed-pacific-quake-tsunami/
![Page 111: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/111.jpg)
Day Title © 2013 SANS
Voted Off The Island!!!
• Processing a full disk image before doing any analysis
http://gosurvive.blogspot.com
• Need answers sooner, not later
• Techniques that deliver speed win!
![Page 112: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/112.jpg)
Day Title © 2013 SANS
Filesystem Journals
• NTFS journaling has traditionally not been well understood
– True correlation with $MFT was unheard of
• All of that has changed with Advanced NTFS Jounral Parser (aka TriForce)
– See David Cowen here at the Summit and talk to him about his awesome tool
![Page 113: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/113.jpg)
Day Title © 2013 SANS
Don’t Suck At Filesystem Journals
• Cowen makes it seem like we were doing it wrong when we looked at $MFT without truly correlating them to entries in $LogFile and $UsnJrnl
– Because we were doing it wrong!
ggbenitezpr.com
![Page 114: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/114.jpg)
Day Title © 2013 SANS
Voted Off The Island!!!
• Looking at $MFT, $LogFile and $UsnJrnl in isolation
survivor-org.wikia.com
![Page 115: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/115.jpg)
Day Title © 2013 SANS
Memory Acquisition (Yesterday)
• Most memory forensics tools depend heavily on knowing the OS version
– Currently used methods for determining version involve scanning through memory for OS structures like KDBG
• This then requires profiles to be built containing definitions for other OS structures
![Page 116: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/116.jpg)
Day Title © 2013 SANS
Voted Off The Island!!!
• Taking full memory dumps from machines with mega RAM
survivor-org.wikia.com
![Page 117: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/117.jpg)
Day Title © 2013 SANS
Memory Acquisition
• In many cases we acquire the memory image ourselves as part of IR
– Why not acquire information about the OS as well – including offsets to critical structures?
• Good question – Rekall and WinPmem are working to make this a standard
– Query the OS during the memory dump to record information that must be inferred later
![Page 118: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/118.jpg)
Day Title © 2013 SANS
Memory Artifacts
• The size of memory is growing faster than the average write speeds
– More changes in memory during acquisition
• Tools that parse artifacts from live memory, with a minimal footprint need to be developed
– Or refined – if you like the ones that already exist
sepperman.deviantart.com
![Page 119: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/119.jpg)
Day Title © 2013 SANS
Volume Shadow Copies
• Coolest. Thing. Ever. What more can I say?
http://brianjarrett.com/2010/12/28/coolest-thing-ever/
![Page 120: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/120.jpg)
Day Title © 2013 SANS
Volume Shadow Copies (2)
• VSCs kick butt in a huge way
• When combined with hibernation files, they provide a true Window to the past
• Did you know that $MFT gets backed up in VSS? Yeah, that’s a big win!
– $LogFile does too – and that makes me happy
![Page 121: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/121.jpg)
Day Title © 2013 SANS
VSC + Hibernation = Holy Cow
http://www.artbytom.com/illustration-services/holy-cow-birthday-card.html
![Page 122: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/122.jpg)
Day Title © 2013 SANS
Hiberfil.sys in VSC – Yeah Baby!
• I’ve had cases turn recently based on hibernation files in VSC
– One case involved a laptop that hibernated when the lid was closed
– Another case involved a desktop set to hibernate when it had been idle for too long
• Too many investigators ignore the forgotten wonders of VSC and few get the hiberfil.sys
![Page 123: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/123.jpg)
Day Title © 2013 SANS
Questions?
• Ain’t nobody got time for that, this is SANS360!
funny-pictures.picphotos.net
![Page 124: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/124.jpg)
![Page 125: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/125.jpg)
Rekall Memory Forensics
Elizabeth Schweinsberg
![Page 126: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/126.jpg)
What is Rekall?
● A fork of the Volatility memory analysis framework.
o Fully open source and GPL - all commits are public.
o Focus on:
code quality - code reviews. ● Most of the code is rewritten/updated.
performance.
ease of use as a library - Integrated into other
tools. ● E.g. GRR, plaso (nee log2timeline)
![Page 127: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/127.jpg)
TODO:
Screenshot of Rekall inside GRR.
![Page 128: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/128.jpg)
How is it different from Volatility?
● Rekall uses a different design philosophy:
o Exact symbol information for the analyzed system
e.g. Fetch from Microsoft Symbol Server.
o Store profiles in a public profile repository
Rekall fetches the required profile at runtime.
We have over 200 different kernels in the
repository.
Matching PDB GUID increases transparency of
mapping the right kernel.
![Page 129: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/129.jpg)
How is it different from Volatility?
o This means we do not need to guess or try to
deduce global symbols.
This makes Rekall much faster, more efficient
and more accurate.
For example, Rekall does not use the Kernel
Debugger Block ● This can easily be overwritten by malware. Or newer
versions of Windows.
![Page 130: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/130.jpg)
How is it different from Volatility?
● Rekall distributes and supports a complete memory
acquisition solution.
o We have synergy between acquisition and analysis.
o Support all major operating systems:
Windows - Winpmem tool.
Linux - pmem tool.
OSX - OSXPmem tool (supports 10.9.3).
o Rekall acquisition tools allow for live system analysis
(Triaging etc).
![Page 131: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/131.jpg)
Rekall user interfaces.
● Command line interface.
● Interactive IPython console - very fast.
● IPython notebook.
● New web console - Rekall specific web interface.
![Page 132: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/132.jpg)
![Page 133: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/133.jpg)
![Page 134: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/134.jpg)
http://www.rekall-forensic.com/
![Page 135: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/135.jpg)
![Page 136: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/136.jpg)
The Need for Network Security Monitoring
Capture all the things JP Bourget
@punkrokk
![Page 137: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/137.jpg)
Agenda
• What is NSM
• A reference NSM stack
• Why is it useful
• How does it apply to DFIR?
• Review
![Page 138: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/138.jpg)
Network Security Monitoring
• Definition:
the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions (or policy violations).
Souce: Richard Bejtlich
• Application: Storing Full Packet Capture (FPC), Bro logs, Snort logs and more to go back and look at interesting and anomalous network activity
![Page 139: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/139.jpg)
Bro?
• Bro (bro.org):
– Provides rich application protocol logging and
analysis
– Provides a network event driven, policy agnostic
scripting language to interact with your network
– You can
• Count things, measure things, notice things, check
things, match things
– If you have never looked at Bro, you may want to
![Page 140: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/140.jpg)
Example NSM Stack (Security
Onion)
![Page 141: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/141.jpg)
Why is it useful for DFIR?
• Provides the Ground Truth of what happened
• It’s becoming cheap to store Full Packet Capture for long periods of time
• Let’s you put together a larger picture than host based analysis – FAST! (e.g. who clicked that phishing email)
• Let’s you figure out what actually happened with that mysterious SIEM alert – you can see the network traffic
• Warning: Encryption causes us to lose some visibility (don’t bother capturing it)
![Page 142: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/142.jpg)
Lots of Resources
• Applied NSM by Chris Sanders (2014)
• The Practice of Network Security Monitoring by Richard Bejtlich (2013)
• Securityonion.net (Wiki and distro)
• Lots of great blogs: Tao Security, bammv.github.io/sguil/docs.html, David Bianco,
• #snort-gui on Freenode, various tools mailing lists
![Page 143: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/143.jpg)
Consider It
Consider learning more about NSM – it’s
becoming an important part IR!
Thanks!
JP Bourget
@punkrokk
![Page 144: · Log Files, User Documents, File Share Data •Files are not locked by another process •Interaction with operating system/file system is not a component of investigation •Media](https://reader030.vdocument.in/reader030/viewer/2022040501/5e20b8900ee46645fc3111b4/html5/thumbnails/144.jpg)