digital forensics for ssc solvers
play

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital - PowerPoint PPT Presentation

Apr 03, 2023 •96 likes •307 views

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

  1. Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT

  2. Digital Forensics • Methods to collect and analyze (digital) evidence • Three basic phases – Data collection, Analysis, Reporting – Triage • Various sources of information – Host, network • Online (live) vs. Offline analysis • https://wiki.egi.eu/wiki/Forensic_Howto

  3. Triage – is there an incident or not? • Minimize actions – Every contact leaves a trace • Quickly examine the system – Looking for anomalies – Even minor things may matter • If incident is confirmed- isolate services/machines – Proceed to contain incident

  4. Starting investigation • Leif Nixon’s cup of tea/coffee • Any applicable policies? • Security contact(s), teams, … • Do some documentation, note times – Save outputs • Do communication • Isolate the system

  5. Live analysis • Part of triage • Checking live system is often important – Access to memory and working system • Memory can be gathered – Hard to hide something – Processes are “unlocked” – Data can only be available from memory – Independent view on OS structures • But the system may not be yours anymore!

  6. Performing live analysis • Before you start, secure evidence that could be changed – Snapshot(s), take FS metadata, (RAM) • Start with introspection of the whole system – Network connections, running processes, …. – Note processes for additional analysis • After that, examine suspicious processes – resources used – recover files – obtain memory dumps

  7. Processes • A process is an instance of a program – Program is usually an executable file on a disk • Process keeps data in memory, uses system resources – Sometimes released only during termination • Processes form a hierarchy

  8. System examination • Closer look at processes – Strange names, executables – Distributions of PIDs, relationships, CPU consumption • Resources in use • Memory, open sockets (files, networks), shared memory • Investigations – User-space commands (common commands) – Check kernel structures • Correlation of command outputs, access lower-level info

  9. Commands needed • Commands – ps , netstat , lsof • Kernel structures – /proc/$PID • Document/record the process – Keep track of issued commands – Save outputs • Ramdisks (/dev/shm) might be an option

  10. /proc records /proc/31418 -r--r--r-- 1 kouril kouril 0 May 5 18:46 cmdline lrwxrwxrwx 1 kouril kouril 0 May 5 18:46 cwd -> /tmp -r-------- 1 kouril kouril 0 May 5 18:46 environ lrwxrwxrwx 1 kouril kouril 0 May 5 18:46 exe -> /usr/bin/wget dr-x------ 2 kouril kouril 0 May 5 18:46 fd lrwx------ 1 kouril kouril 64 May 5 18:46 0 -> /dev/pts/47 lrwx------ 1 kouril kouril 64 May 5 18:46 1 -> /dev/pts/47 lrwx------ 1 kouril kouril 64 May 5 18:46 2 -> /dev/pts/47 lrwx------ 1 kouril kouril 64 May 5 18:46 3 -> socket:[3097580] l-wx------ 1 kouril kouril 64 May 5 18:46 4 -> /tmp/ubuntu-19.04-desktop- amd64.iso?_ga=2.213675796.1604966281.1557074696-1247976767.1557074696

  11. Deleted files • Unix keeps deleted files open until they are closed • ls /proc/$PID/exe : – lrwxrwxrwx 1 kouril kouril 0 May 4 07:31 exe -> /tmp/wget (deleted) • Proc’s “symbolic links” can be used for easy recovering the data – cp /cat/… /proc/$PID/exe /tmp/dest – The process must be still running! • Both executable and open files (see the fd directory)

  12. Open files (lsof -p 31418 – n) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME wget 31418 kouril cwd DIR 252,0 36864 524291 /tmp wget 31418 kouril rtd DIR 252,0 4096 2 / wget 31418 kouril txt REG 252,0 407696 393524 /usr/bin/wget wget 31418 kouril mem REG 252,0 43616 1049154 /lib/x86_64-linux-gnu/ libnss_files-2.19.so wget 31418 kouril mem REG 252,0 3165552 394658 /usr/lib/locale/locale-arc wget 31418 kouril mem REG 252,0 14664 1064472 /lib/x86_64-linux-gnu/libd wget 31418 kouril mem REG 252,0 1857312 1064478 /lib/x86_64-linux-gnu/libc wget 31418 kouril mem REG 252,0 18936 1050745 /lib/x86_64-linux-gnu/libu wget 31418 kouril mem REG 252,0 207128 397935 /usr/lib/x86_64-linux-gnu/ wget 31418 kouril mem REG 252,0 100728 1048634 /lib/x86_64-linux-gnu/libz wget 31418 kouril mem REG 252,0 1938752 1050644 /lib/x86_64-linux-gnu/libc wget 31418 kouril mem REG 252,0 387272 1050636 /lib/x86_64-linux-gnu/libs wget 31418 kouril mem REG 252,0 149120 1064460 /lib/x86_64-linux-gnu/ld-2 wget 31418 kouril mem REG 252,0 26258 671480 /usr/lib/x86_64-linux-gnu/ wget 31418 kouril 0u CHR 136,47 0t0 50 /dev/pts/47 wget 31418 kouril 1u CHR 136,47 0t0 50 /dev/pts/47 wget 31418 kouril 2u CHR 136,47 0t0 50 /dev/pts/47 wget 31418 kouril 3u IPv4 3101285 0t0 TCP 127.0.0.1:44280->127.0.0.1 wget 31418 kouril 4w REG 252,0 14777874 573900 /tmp/ubuntu-19.04-desktop-

  13. Open network connections (netstat – tnp) Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9050 127.0.0.1:34902 ESTABLISHED - tcp 0 0 127.0.0.1:44280 127.0.0.1:8118 ESTABLISHED 31418/wget

  14. Dumping process memory • gcore – p PID – o dump – Part of the GDB package • Outputs an ELF file (see later) containing the process memory

  15. Executable file analysis • Static analysis • Dynamic analysis

  16. ELF

  17. Look inside an ELF executable https://binvis.io/

  18. Static analysis of binary files • Determine the type file /bin/bash /bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=7e4c4de7a4d259aeb0896fd579609bb6c27fae8d, stripped • Content analysis – Break down individual ELF sections and analyse them • .rodata - constants (strings) • .data - global tables, variables • .text • readelf – Or do quick examination of the file • Human readable strings – strings – a <binary> • Strings often point to username, file paths, function names, . . . • Malware producers tend to obfuscate important strings – XOR, base64, . . . – Dynamic calls to library functions – dlopen(), dlsym()

  19. Countermeasures • Encoded (packed) binaries – Binary is encoded by a customized algorithm and gets unpacked only during executions – UPX (easy to unpack), or its modifications – Also for scripts – self-executable archives • Obfuscated scripts – very often used for PHP or Javascript

  20. Next Session • A joint walk-through the SSC malware • 35 VMs available for hands-on exercise • SSH client necessary, access credentials will be circulated

Recommend

About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction to Digital Forensics Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer Forensics? What do you Need for a Careers in Computer Digital Forensics? Educational Background

509 views • 29 slides
Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of Digital Evidence: Admissible evidence must be related to the fact being proved Authentic evidence must be real and related to the

1.13k views • 68 slides
Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano Introduction - What is Digital Forensics? Digital forensics defined - The process of recovering and interpreting

478 views • 30 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of

1.04k views • 65 slides
Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using SMT-LIB 2.5 Clifford Wolf 1 Abstract Bounded model checking and other SAT-based formal methods are an important part of todays digital design

773 views • 52 slides
Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute intro to Digital Forensics Some challenges scale cloud the encryption boundary anti-forensics Digital Forensics in 2 mins

415 views • 7 slides
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico Marziale, Golden G. Richard III, Vassil Roussev Me: Professor of Computer Science Co-founder, Digital Forensics Solutions golden@cs.uno.edu

489 views • 28 slides
HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics Lab Director HTCIA/ICFP/ACM/IEEE/ACIS/ISSA asoto@asoto.com INTENDED AUDIENCE Forensic lab directors / analysts - Law enforcement - Researchers -

568 views • 36 slides
Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Linux Memory Analysis Workshop Session 1 Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide ranging forensics investigations Volatility Developer Former Blackhat, SOURCE, and DFRWS speaker

1.64k views • 162 slides
Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &amp;

858 views • 55 slides
Electronic Discovery Electronic Discovery &amp; Digital Forensics &amp; Digital Forensics

Electronic Discovery Electronic Discovery &amp; Digital Forensics &amp; Digital Forensics

San Francisco Chapter San Francisco Chapter Electronic Discovery Electronic Discovery &amp; Digital Forensics &amp; Digital Forensics Robert Schperberg New New Federal Rule of Civil Procedures Federal Rule of Civil Procedures Also

654 views • 63 slides
Trends in Mobile Device Forensics Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE, TJFC Director -

Trends in Mobile Device Forensics Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE, TJFC Director -

8/29/2016 Trends in Mobile Device Forensics Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE, TJFC Director - Senator Leahy Center for Digital Investigation @jtrajewski Associate Professor - Digital Forensics | Cyber Security

344 views • 18 slides
Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond Choo The role of digital forensics in incident handling Sources of digital evidence: Any computing devices capable of storing electronic

527 views • 16 slides
CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun Jiwasurat Division Director, Office of Security, ETDA 1 ThaiCERT: A Quick Glance A government funded unit, established in 2000 The first and

654 views • 22 slides
Computational Forensics: Machine Learning and Predictive Analytics Carl Stuart Leichter PhD

Computational Forensics: Machine Learning and Predictive Analytics Carl Stuart Leichter PhD

Fundamentals of Computational Forensics: Machine Learning and Predictive Analytics Carl Stuart Leichter PhD carl.leichter@ntnu.no NTNU Testimon Digital Forensics Group NTNU Testimon Digital Forensics Group Cyber Threat Intelligence and

1.5k views • 131 slides
Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc

Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc

Effective Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc Liberatore Clay Shields University of Massachusetts Amherst Georgetown University rjwalls@cs.umass.edu 1 forensics.umass.edu

578 views • 39 slides
CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and

CSN08101 Digital Forensics Lecture 5: Data management and Autopsy Lecture 5: Data management and Autopsy Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Data Management for Forensics You will learn in this lecture: Command

663 views • 24 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides

More recommend