introduction to security forensics and incident handling
play

Introduction to Security Forensics and Incident Handling Ming Chow - PowerPoint PPT Presentation

Jan 27, 2024 •291 likes •492 views

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

  1. Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow

  2. Topic Outcomes • Acquire data (from a disk) using `dd` • Analyze image of disk from `dd` using forensics tools including Autopsy/Sleuth Kit , Foremost • Recover deleted files off a disk

  3. Scenario Imagine you have been attacked, compromised, or is involved in a criminal incident. What’s the evidence? What happened? When? Who was involved?

  4. What is Forensics? • Preservation (of computer media) • Identification (of computer media) • Extraction (of computer media) • Interpretation • Documentation

  5. The Process • Assess the situation • Acquire data • Analyze data • Report

  6. Law Enforcement: Before Accessing Situation, Obtain Search Warrant

  7. Example of a Search Warrant

  8. Example of a Search Warrant (continued)

  9. Terminology • Volatile data : RAM, processes • Non-volatile data : Hard disks, USB drives • Physical acquisition : Bit-by-bit copy of entire physical store • Logical acquisition : Bit-by-bit copy of directories and files on a file system partition • Write blockers : "Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands” [1] • Chain-of-custody : Chronological documentation from "crade-to-grave" (i.e., warrant, seizure, custody, control, transfer, analysis, disposal)

  10. To Ponder • What could possibly go wrong if you don’t use a write blocker to acquire evidence, data? • What are the pros and cons of physical vs logical acquisition? When would you want to use one over the other?

  11. Forensics Tools • strings • md5/sha1/sha256/sha512 • dd • FTK • Encase • stegdetect • Sleuth Kit and Autopsy • Foremost

  12. Demo Time • dd • Sleuth Kit and Autopsy • Foremost

  13. Incident Handling • Generalized and broad term • Incorrect? • Incident Handling (IH) is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner. • Incident Response (IR) is all of the technical components required in order to analyze and contain an incident. • https://isc.sans.edu/forums/diary/Incident+Response+vs+Incident+Handling/6205 • Rebuttal by Richard Bejtlich • tl;dr IH and IR are the same • https://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html

  14. Why Incident Handling is Important • Chaos • Barking up the wrong trees • Dead-end investigations • Hard to accumulate knowledge, experience • Legal issues • Cost overruns • Organization (i.e., do not know who to contact)

  15. Incident Handling vs Forensics • There are overlaps • Forensics: "finding and documenting the actions of a person or persons in relation to other people or places or activities. Must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.” [2] • Incident Handling: generally speaking, must be well versed with many facets of IT and information security.

  16. Incident Handling Phases • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned • Take SANS’ SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling https://www.sans.org/course/hacker-techniques-exploits- incident-handling • Read: https://www.sans.org/reading- room/whitepapers/incident/incident-handlers-handbook-33901

  17. For a Deeper Dive into Incident Handling • Take SANS’ SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling https://www.sans.org/course/hacker-techniques-exploits-incident-handling • Yours truly is an alumnus of the course back in 2007 • SANS GCIH certification https://www.giac.org/certification/certified-incident- handler-gcih • Read: https://www.sans.org/reading-room/whitepapers/incident/incident- handlers-handbook-33901

  18. Anti-Forensics (or countering against forensics) Full-disk wipe using DoD 5220.22-M • https://www.nispom.org/NISPOM_2006.pdf • Remove logs • Steganography • Encryption (full-disk, VeraCrypt, BitLocker for Windows, FileVault for macOS) • Put disk into BBQ or fire pit •

  19. Forensics 1. http://forensicswiki.org/wiki/Write_Blockers 2. http://exforensis.blogspot.com/2009/09/how-is-computer- forensics-different.html

Recommend

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

704 views • 39 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job => I avoid RE as much as

670 views • 15 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond Choo The role of digital forensics in incident handling Sources of digital evidence: Any computing devices capable of storing electronic

527 views • 16 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke Presentation Overview 1. Incident Response Lifecycle 2. Forensic Artifacts 1. DISK & RAM 3. Demo Incident Response Lifecycle 1.Preparation

575 views • 34 slides
Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

790 views • 63 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Linux Memory Analysis Workshop Session 1 Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide ranging forensics investigations Volatility Developer Former Blackhat, SOURCE, and DFRWS speaker

1.64k views • 162 slides
iOS Forensics with Open-Source Tools Andrey Belenko AGENDA Basics iOS Security iOS

iOS Forensics with Open-Source Tools Andrey Belenko AGENDA Basics iOS Security iOS

iOS Forensics with Open-Source Tools Andrey Belenko AGENDA Basics iOS Security iOS Data Protection Hands-On! FORENSICS 101 Acquisition Analysis Reporting GOALS: 1. Assuming physical access to the device extract as much

763 views • 41 slides
Handling Is A Requirement For Security C. Matthew Curtin, CISSP Interhack Corporation Conflict

Handling Is A Requirement For Security C. Matthew Curtin, CISSP Interhack Corporation Conflict

Effective Incident Handling Is A Requirement For Security C. Matthew Curtin, CISSP Interhack Corporation Conflict of Interest C. Matthew Curtin, CISSP has no real or apparent conflicts of interest to report. What We Hope to Learn Today 1

294 views • 17 slides
CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun

CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun Jiwasurat Division Director, Office of Security, ETDA 1 ThaiCERT: A Quick Glance A government funded unit, established in 2000 The first and

654 views • 22 slides
Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis

Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis

Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007 Company Overviews MANDIANT

1.38k views • 69 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Using Microbial Forensics to Strengthen Biosecurity and the Implementation of UN Security Council

Using Microbial Forensics to Strengthen Biosecurity and the Implementation of UN Security Council

Using Microbial Forensics to Strengthen Biosecurity and the Implementation of UN Security Council Resolution 1540 Dana Perkins, PhD 1540 Committee Expert Science Needs for Microbial Forensics: Developing an International Science Roadmap

616 views • 14 slides
Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

EGI Community Forum 2014 Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel NIKHEF All the hard work: Heiko Reese KIT-CERT ( ) Sven Gabriel? 20042007: FZK Karlsruhe, T-1 GridKa Site Admin

1.19k views • 38 slides
Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer forensics, also called cyber forensics, is the applica6on of scien6fic method to computer

464 views • 33 slides

More recommend