SlideShare una empresa de Scribd logo

Memory forensics and incident response

London School of Cyber Security
London School of Cyber Security
Tecnología
1 de 32
Descargar para leer sin conexión
Memory Forensics and Incident Response Robert Reed
Frequently when we think of CyberCrime external intrusions immediately comes to mind, but we should remember that “insiders” represent a significant threat to organizations. Between 46 and 58 percent of the incidents resulting in the largest losses to organizations were “inside jobs.” This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier. Intrusions Insiders Outsiders Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
42% 40% 39% 12% 8% 6% 5% 4% 11% 20% 0% 10% 20% 30% 40% 50% Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law… Unaware crime was reportable Other Don't know Reason not Prosecuted Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law enforcement Unaware crime was reportable Other In “insider” incidents, 40 percent of the time those responsible are never identified, or insufficient evidence was obtained for prosecution. This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier 2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
Why are so many incidents not producing sufficient information for prosecutions? To some degree this makes sense when we dig deeper into the numbers, 61 percent businesses suffering from CyberCrime indicated that “they don’t have, or are not aware of having, access to forensic technology investigators.” 61 60 46 0 20 40 60 80 Not Aware of access to forensic investigators No in-house forensics No forensic IR proceedures Business Forensic capabilities Forensic Capabilities Global Economic Crime Survey 2011, PriceWaterhouse Cooper
Objectives of incident response: • Collect as much evidence as possible • Minimize or eliminate changes made to evidentiary information • Maintain the integrity of the investigation • Minimize the disruption to business processes • Obtain a successful outcome
Striking a balance • Do we need to do a forensic examination? – Is there a statutory requirement to report? – Is there potential liability for not investigating? – Is there a broader objective in the investigation? – Is it fiscally responsible?
Typical Incident life cycle • Identify incident • Establish approach • Collect evidence • Analyze evidence • Document and report • Assess and follow-up
Traditional Computer Forensic Response • Secure location • Document the scene • Pull the plug • Collect evidence • Image the media • Analysis • Reporting
Pro’s of the Approach • Acceptable for most of the cases LE is presented with • Easy to validate the information for court purposes • Easy to establish and validate SOP’s
Con’s to Traditional Approach • Increasing drive capacities • Increased security awareness – Encryption – Passwords – “Personal Privacy” Software • Business Continuity • Misses /Destroys vital information in RAM
Better Approach • Secure location • Photograph and document scene • Collect volatile data • Isolate from network?? • Bring the machine down or live image?? • Bit stream image • Analysis • Reporting
Order of volatility 1. CPU cache and Register 2. ARP cache, Routing and Process tables 3. RAM 4. Temp file systems, Swap and page files 5. Fixed and removable media attached 6. Remotely logged data 7. Archives
Collection of volatile data Tool/s Utilities OSHardware Results
Concerns • Reliability of local tools • Root kits • Integrity of evidence – Authenticity – Integrity • Chains of custody • Security
Collection of Volatile data • cmd • tasklist • netstat • arp • Route • Net commands • etc * The problem with using native commands is that we can not trust their results*
Collection of volatile data Tool/s Utilities OSHardware Results
Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
External tools • cmd ?? *are you bringing your own command console?* • Sysinternals: http://technet.microsoft.com/en-us/sysinternals/default • Nirsoft: http://www.nirsoft.net/ • Foundstone: http://www.mcafee.com/us/downloads/free-tools/index.aspx • WFT: http://www.foolmoon.net/security/wft/ • Tons of others out there
Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace API
Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
RAM / Image Analysis tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
Imaging and Analysis Tools • Win32/64 dd • Dumpit • Man dd • FTK Imager • Belkasoft • Volatility • Memoryze • Redline • HBGary Responder • Encase • Etc….
Imaging and Analysis Tools • Challenges – Varied Implementations – Anti-Forensics programs and techniques
Direct Memory Access tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
http://www.breaknenter.org/projects/inception/ “Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.”
“Goldfish was a project by Afrah Almansoori, Pavel Gladyshev, and Joshua James aimed at the extraction of user password and fragments of AIM instant messenger conversations directly from RAM of Apple Mac computers. Goldfish software can be used against 32 bit versions of Mac OS X up to and including Mac OS X (10.5) Leopard.” http://digitalfire.ucd.ie/?page_id=430
Direct Memory Access • Advantages – Bypass passwords to gain access – Recover passwords (keyboard buffers) – Evade current anti-forensics techniques
Direct Memory Access • Challenges – Hardware dependent! – Physical access! – Disabled drivers? – 4GB of accessible space! 0>ffffffff
Direct Memory Access • Mitigation – Windows • Block SBP-2 drivers: http://support.microsoft.com/kb/2516445 • Remove FireWire and thunderbolt drivers
Direct Memory Access • Mitigation – Macs • Filevault2 (OS X Lion) and screen locked • Firmware password
Direct Memory Access • Mitigation – Linux • Disable DMA • Remove FireWire drivers
Questions ??

Recomendados

Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Building an enterprise forensics response service
Building an enterprise forensics response serviceBuilding an enterprise forensics response service
Building an enterprise forensics response service
Seccuris Inc.
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
RT and RT for Incident Response
RT and RT for Incident ResponseRT and RT for Incident Response
RT and RT for Incident Response
Best Practical Solutions
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
festival ICT 2016
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and future
Christian Martorella
 

Recomendados

Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Building an enterprise forensics response service
Building an enterprise forensics response serviceBuilding an enterprise forensics response service
Building an enterprise forensics response service
Seccuris Inc.
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
RT and RT for Incident Response
RT and RT for Incident ResponseRT and RT for Incident Response
RT and RT for Incident Response
Best Practical Solutions
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
festival ICT 2016
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and future
Christian Martorella
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
Emil Tan
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Nicholas Davis
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
Priyanka Aash
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Data recovery
Data recoveryData recovery
Data recovery
Ravi Malik
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)
phexcom1
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Cellebrite
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
Case IQ
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
Pratum
 
Overview of Recorded Future Intel Cards
Overview of Recorded Future Intel CardsOverview of Recorded Future Intel Cards
Overview of Recorded Future Intel Cards
Recorded Future
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
Andrew Case
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_ysk
ysk256
 

Más contenido relacionado

La actualidad más candente

Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 

La actualidad más candente (20)

Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
 
Incident response process
Incident response processIncident response process
Incident response process
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Data recovery
Data recoveryData recovery
Data recovery
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)Open source intelligence information gathering (OSINT)
Open source intelligence information gathering (OSINT)
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Overview of Recorded Future Intel Cards
Overview of Recorded Future Intel CardsOverview of Recorded Future Intel Cards
Overview of Recorded Future Intel Cards
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 

Destacado

Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 

Destacado (13)

Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_ysk
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' Tools
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Crypto
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 

Similar a Memory forensics and incident response

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
Damir Delija
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 

Similar a Memory forensics and incident response (20)

Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Logs in Security and Compliance flare
Logs in Security and Compliance flareLogs in Security and Compliance flare
Logs in Security and Compliance flare
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 

Más de London School of Cyber Security

Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?
London School of Cyber Security
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
London School of Cyber Security
 

Más de London School of Cyber Security (20)

The Panama Papers Hack
The Panama Papers HackThe Panama Papers Hack
The Panama Papers Hack
 
ISIS and Cyber Terrorism
ISIS and Cyber TerrorismISIS and Cyber Terrorism
ISIS and Cyber Terrorism
 
Silk Road & Online Narcotic Distribution
Silk Road & Online Narcotic DistributionSilk Road & Online Narcotic Distribution
Silk Road & Online Narcotic Distribution
 
Ashely Madison Hack
Ashely Madison HackAshely Madison Hack
Ashely Madison Hack
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Building an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence ProgramBuilding an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence Program
 
Crowdsourced Vulnerability Testing
Crowdsourced Vulnerability TestingCrowdsourced Vulnerability Testing
Crowdsourced Vulnerability Testing
 
Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?
 
Sploitego
SploitegoSploitego
Sploitego
 
Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Research
 
Blind XSS
Blind XSSBlind XSS
Blind XSS
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
 
Sploitego
SploitegoSploitego
Sploitego
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Último

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Último (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Memory forensics and incident response

  • 1. Memory Forensics and Incident Response Robert Reed
  • 2. Frequently when we think of CyberCrime external intrusions immediately comes to mind, but we should remember that “insiders” represent a significant threat to organizations. Between 46 and 58 percent of the incidents resulting in the largest losses to organizations were “inside jobs.” This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier. Intrusions Insiders Outsiders Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
  • 3. 42% 40% 39% 12% 8% 6% 5% 4% 11% 20% 0% 10% 20% 30% 40% 50% Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law… Unaware crime was reportable Other Don't know Reason not Prosecuted Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law enforcement Unaware crime was reportable Other In “insider” incidents, 40 percent of the time those responsible are never identified, or insufficient evidence was obtained for prosecution. This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier 2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
  • 4. Why are so many incidents not producing sufficient information for prosecutions? To some degree this makes sense when we dig deeper into the numbers, 61 percent businesses suffering from CyberCrime indicated that “they don’t have, or are not aware of having, access to forensic technology investigators.” 61 60 46 0 20 40 60 80 Not Aware of access to forensic investigators No in-house forensics No forensic IR proceedures Business Forensic capabilities Forensic Capabilities Global Economic Crime Survey 2011, PriceWaterhouse Cooper
  • 5. Objectives of incident response: • Collect as much evidence as possible • Minimize or eliminate changes made to evidentiary information • Maintain the integrity of the investigation • Minimize the disruption to business processes • Obtain a successful outcome
  • 6. Striking a balance • Do we need to do a forensic examination? – Is there a statutory requirement to report? – Is there potential liability for not investigating? – Is there a broader objective in the investigation? – Is it fiscally responsible?
  • 7. Typical Incident life cycle • Identify incident • Establish approach • Collect evidence • Analyze evidence • Document and report • Assess and follow-up
  • 8. Traditional Computer Forensic Response • Secure location • Document the scene • Pull the plug • Collect evidence • Image the media • Analysis • Reporting
  • 9. Pro’s of the Approach • Acceptable for most of the cases LE is presented with • Easy to validate the information for court purposes • Easy to establish and validate SOP’s
  • 10. Con’s to Traditional Approach • Increasing drive capacities • Increased security awareness – Encryption – Passwords – “Personal Privacy” Software • Business Continuity • Misses /Destroys vital information in RAM
  • 11. Better Approach • Secure location • Photograph and document scene • Collect volatile data • Isolate from network?? • Bring the machine down or live image?? • Bit stream image • Analysis • Reporting
  • 12. Order of volatility 1. CPU cache and Register 2. ARP cache, Routing and Process tables 3. RAM 4. Temp file systems, Swap and page files 5. Fixed and removable media attached 6. Remotely logged data 7. Archives
  • 13. Collection of volatile data Tool/s Utilities OSHardware Results
  • 14. Concerns • Reliability of local tools • Root kits • Integrity of evidence – Authenticity – Integrity • Chains of custody • Security
  • 15. Collection of Volatile data • cmd • tasklist • netstat • arp • Route • Net commands • etc * The problem with using native commands is that we can not trust their results*
  • 16. Collection of volatile data Tool/s Utilities OSHardware Results
  • 17. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
  • 18. External tools • cmd ?? *are you bringing your own command console?* • Sysinternals: http://technet.microsoft.com/en-us/sysinternals/default • Nirsoft: http://www.nirsoft.net/ • Foundstone: http://www.mcafee.com/us/downloads/free-tools/index.aspx • WFT: http://www.foolmoon.net/security/wft/ • Tons of others out there
  • 19. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace API
  • 20. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
  • 21. RAM / Image Analysis tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
  • 22. Imaging and Analysis Tools • Win32/64 dd • Dumpit • Man dd • FTK Imager • Belkasoft • Volatility • Memoryze • Redline • HBGary Responder • Encase • Etc….
  • 23. Imaging and Analysis Tools • Challenges – Varied Implementations – Anti-Forensics programs and techniques
  • 25. http://www.breaknenter.org/projects/inception/ “Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.”
  • 26. “Goldfish was a project by Afrah Almansoori, Pavel Gladyshev, and Joshua James aimed at the extraction of user password and fragments of AIM instant messenger conversations directly from RAM of Apple Mac computers. Goldfish software can be used against 32 bit versions of Mac OS X up to and including Mac OS X (10.5) Leopard.” http://digitalfire.ucd.ie/?page_id=430
  • 27. Direct Memory Access • Advantages – Bypass passwords to gain access – Recover passwords (keyboard buffers) – Evade current anti-forensics techniques
  • 28. Direct Memory Access • Challenges – Hardware dependent! – Physical access! – Disabled drivers? – 4GB of accessible space! 0>ffffffff
  • 29. Direct Memory Access • Mitigation – Windows • Block SBP-2 drivers: http://support.microsoft.com/kb/2516445 • Remove FireWire and thunderbolt drivers
  • 30. Direct Memory Access • Mitigation – Macs • Filevault2 (OS X Lion) and screen locked • Firmware password
  • 31. Direct Memory Access • Mitigation – Linux • Disable DMA • Remove FireWire drivers