towards iot forensics: headless and remote - it sec-x 2016towards iot forensics: headless and remote...
TRANSCRIPT
![Page 1: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/1.jpg)
Towards IoT Forensics:Headless and Remote
IT Sec-X 2016Dr. Mar�n Schmiedecker
![Page 2: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/2.jpg)
Overview
What is IoT?
Headless & Remote
Outlook
2/30
![Page 3: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/3.jpg)
What is IoT?
![Page 4: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/4.jpg)
What is IoT?
3/30
![Page 5: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/5.jpg)
What is IoT?
4/30
![Page 6: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/6.jpg)
What is IoT?
5/30
![Page 7: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/7.jpg)
What is IoT?
6/30
![Page 8: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/8.jpg)
What is IoT?
Why is this a problem?• incident response• forensic image acquisi�on• plenty and plenty of systems• what can possibly go wrong?
7/30
![Page 9: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/9.jpg)
IoT Forensics?
8/30
![Page 10: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/10.jpg)
IoT Forensics?
9/30
![Page 11: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/11.jpg)
IoT Forensics?
10/30
![Page 12: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/12.jpg)
IoT Forensics?
11/30
![Page 13: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/13.jpg)
IoT Forensics?
No, seriously!1. connected2. headless3. diverse4. small
12/30
![Page 14: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/14.jpg)
What is IoT!
13/30
![Page 15: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/15.jpg)
What is IoT!
14/30
![Page 16: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/16.jpg)
What is IoT!
15/30
![Page 17: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/17.jpg)
Headless & Remote
![Page 18: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/18.jpg)
Headless & Remote
16/30
![Page 19: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/19.jpg)
Headless & Remote
Things there are:• GRR Rapid Response (google)• osquery (facebook)• MIG (mozilla)• stenographer
17/30
![Page 20: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/20.jpg)
Headless & Remote
GRR Rapid Response:• by Google• specifically built for incident response• supports Windows, OS X, Linux• open source since 2011• wri�en in Python• uses lightweight, local agents
18/30
![Page 21: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/21.jpg)
Headless & Remote
Pros:• web GUI• scales very well• large setups with 100,000+ client machines• configura�on & roll-out easy• long-term supported project
19/30
![Page 22: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/22.jpg)
Headless & Remote
Cons:• not strictly user-friendly (yet)• ini�al setup of server can be tedious• privacy & legal implica�ons?!
20/30
![Page 23: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/23.jpg)
Headless & Remote
Deployment:• most logic is server-side• server generates executables with config• client simply runs it, done• easy with Puppet or others• offline clients run tasks asap when online
21/30
![Page 24: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/24.jpg)
Headless & Remote
osquery:• by Facebook• built for monitoring systems & detect intrusions• SQL-like query language• supports Windows, Linux, OS X, FreeBSD• open source since 2014
22/30
![Page 25: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/25.jpg)
Headless & Remote
Things like:• running processes• filesystem changes• log aggrega�on• scan for YARA or IOC• all in configurable intervals e.g., every 10 seconds
23/30
![Page 26: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/26.jpg)
Headless & Remote
24/30
![Page 27: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/27.jpg)
Headless & Remote
MIG:• by Mozilla• supports Windows, OS X, Linux• wri�en in Go• open-source since 2013
25/30
![Page 28: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/28.jpg)
Headless & Remote
Things like:• running processes• network infos e.g., locate MAC• find specific USB devices which are connected• also runs on switches• PostgreSQL backend
26/30
![Page 29: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/29.jpg)
Headless & Remote
stenographer:• by Google• writes 10g network packets to disc• no stream reassembly• packet sampling aka. few reads• MoonGen vs. stenographer, who will win?
27/30
![Page 30: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/30.jpg)
Outlook
![Page 31: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/31.jpg)
Outlook
28/30
![Page 32: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/32.jpg)
Outlook
29/30
![Page 33: Towards IoT Forensics: Headless and Remote - IT Sec-X 2016Towards IoT Forensics: Headless and Remote - IT Sec-X 2016 Author: Dr. Martin Schmiedecker Created Date: 11/4/2016 12:10:48](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6d962aa0a7909cf6394e6/html5/thumbnails/33.jpg)
Ques�ons?
30/30