Forensic techniques are not just for law enforcement. You need to supplement your existing security package and provide evidence of due diligence in the event of an incident. Test your security before someone else does.
4. The Truth
• Evidence can be hard to come by
• Any and all evidence must be carefully
accounted for and documented
• Cases involving movie-like circumstances are
few and far between
23. Failure of Encryption?
• Encryption Did Not Fail!
• Convenience vs. Security
• Zero knowledge attack
24. Forensics for the
Defense – One System
at a Time
• System vulnerabilities unknown until tested
• Forensic Penetration testing = same purpose as
traditional penetration test
• Learn and improve from mistakes
25. Conclusions
• Forensic techniques are
not just for law
enforcement
• Supplement your existing
security package
• Provide evidence of due
diligence in the event of an
incident
• Test your security before
someone else does
Crime scenes and evidence, Bringing criminals to justice, Secret files on devicesNeatly laid out trail of evidence, Police chases, GunfireEverything solved by the end of the TV show - in 30 minutes or less (commercials not included, of course)
Law enforcement: Critical evidence in cases, Breaches/Cyber attacks Emerging - Security: Verification, penetration testing
"Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
Network forensics - much more information Search and web history, timing of requests and keystrokes, location data Sources - firewall logs, DNS logs, IDS logs, packet captures
Forensic techniques - more than just law enforcement - More flexibility - Experimenting with evidence may be desirable - Minimal legal issues, especially for research purposes
- Time consuming process - Requires attention to detail - Documentation! - Consider time involved when determining if necessary
-Verification - application analysis and verification -Pen testing - encrypted laptop -Malware/Exploit/Breach Analysis - be careful, legal concerns
-Consider legal ramifications, especially if there is a possibility of criminal activity -Know your limits -Involve law enforcement-Critical for malware/breach investigations
-Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
Application verification - Don’t trust the developer’s word!
For application verification -Control image - system with application, simplify system as much as possible -Test cases: run application, generate data -Analysis: Investigate application process/behavior - MAC times, search for interesting data
Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
-Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - company would not be able to determine information was stolen