Vest Forensics presentation owasp benelux days 2012 leuven
-
Upload
marc-hullegie -
Category
Technology
-
view
580 -
download
3
description
Transcript of Vest Forensics presentation owasp benelux days 2012 leuven
![Page 1: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/1.jpg)
Digital inVESTigations
Forensics and Audit Trails
![Page 2: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/2.jpg)
About Me
Marc HullegieMarc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you.
Kees MastwijkKees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.
![Page 3: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/3.jpg)
TALK OUTLINEBasics
Principles
Audit Trails
Timeline Analysis
Challenges BIG DataSolid State DrivesCloud ComputingChanging forensic landscape
Trends TriageVisualization
And then What ?
![Page 4: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/4.jpg)
INVESTIGATION BASICS
Why will people commit fraud / crime /’misbehavior’ / ….
Fraud Triangle:• Opportunity – One has to be able to commit fraud• Motive – There is a ‘drive’ to commit fraud• Rationalization – Actions will be justified
![Page 5: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/5.jpg)
INVESTIGATION BASICS
Understanding of the Fraud Triangle can be helpful for:• Formulating the investigation charter• Creating scenarios• Applicable for fraud & forensic investigations
and securitytesting
![Page 6: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/6.jpg)
TYPES OF DIGITAL INVESTIGATIONS(due to the nature of the fraud / crime ..)
• Against computersystems, e.g hacking, spam, • Where computersystems are used to commit
fraud, stalking, harrassment
![Page 7: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/7.jpg)
CHARACTERISTICS OF GOOD EVIDENCE
• Intact/integer• Relevant• Reproducable
![Page 8: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/8.jpg)
REQUIRED SKILLS AND KNOWLEDGE
- Technical skills Understand what kind of evidence you are looking for,
&- Investigative skills
Being able to understand the value of the evidence in the case and translate highly technical findings to easy to understand report, being able to spot abnormalities
- While maintaining the ‘chain of custody’
KNOW YOUR STUFF !
![Page 9: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/9.jpg)
BASICS
Basic steps in a digital forensic investigation
• Preparation• Acquisition of Evidence• Duplication• Extraction• Analysis• Reporting
![Page 10: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/10.jpg)
PREPARATION
• Investigation Charter• Determine the scope and preconditions of the investigation• Determine potential locations of relevant evidence by means of type of
investigation:- Network- Data carriers like hard disk drives, smartphones, USB drives
etc- Memory- Etc.. Etc..
• Expectation Management / (Communication) • Create investigation Log (and maintain during the proces)
![Page 11: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/11.jpg)
ACQUISITION & PRESERVATION
• NEVER conduct an investigation on original material• Acquire potential evidence following forensically sound
procedures, tools and hardware• Use write-protected hardware and software that
ensures the integrity of the copy• Duplicate the acquired evidence files to a secured back-
up location• Note System config settings, especially time related
![Page 12: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/12.jpg)
EXTRACTION
• Compound files (Zip/rar/certain e-mail archives) may need to be extracted in order to be able to search the files.
• Transform data into usable investigation objects• Disk images contain potential ‘hidden’ evidence
in file slack, unallocated clusters etc
![Page 13: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/13.jpg)
UNALLOCATED CLUSTERS
![Page 14: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/14.jpg)
CARVING UNALLOCATED CLUSTERS
![Page 15: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/15.jpg)
ANALYSIS
• Select tooling to conduct analysis• Many tools available, specific for each type of
investigation• Cross check and verify your findings. Do not rely
on the results of one tool• Keep in mind the questions to be answered in
the investigation or you will get lost
![Page 16: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/16.jpg)
REPORTING• Translate findings into a readable report• Be transparent in describing your investigative
process• Answer the ‘W’ and ‘H’ questions: Who did
What, When, Where, When, Why and How• Do not jump to conclusions! Be aware of
tunnel visioning
![Page 17: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/17.jpg)
CHALLENGES IN DIGITAL FORENSICS
• BIG data changes the way investigations will be conducted• Diversity of equipment used in today’s communications• Solid State Disks (SSD) reduces the likelihood of retrieving
good evidence (if deleted previously)• Unclear where your data is: e.g. Cloud Computing
changes potential source locations• Virtual Desktop Infrastructures• Compliancy rules limiting access to public records
![Page 18: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/18.jpg)
TRENDS IN DIGITAL FORENSICS – TRIAGE
• Screening of potential evidence instead of creating a full disk image first, to efficiently and cost effective conduct digital investigations. Average storage in a system has increased substantially.
![Page 19: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/19.jpg)
TRENDS IN DIGITAL FORENSICS – TRIAGE - CONT
Previewing and searching potential evidence saves a lot of time and storage.If a triaged systems contain sources of evidence, create a full disk image.
![Page 20: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/20.jpg)
TRENDS IN DIGITAL FORENSICS – VISUALIZATION
• Visualize BIG data to correlate events, relationships, systems.
• Profiling applications
![Page 21: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/21.jpg)
AUDIT TRAILS
In a digital forensic context:‘Chronological presentation of actions and events extracted from user or system generated information’
![Page 22: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/22.jpg)
SYSTEM GENERATED EVIDENCE
Users have little understanding and awareness of presence of this kind of evidence!
Some examples• NTUSER.DAT• Webserver logs• Index.dat files• Printspooler logs• E-mail headers• Registry files• Temp/tmp folders• Etc..
![Page 23: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/23.jpg)
USER CREATED EVIDENCESome examples:• Pictures• (Open) Office documents• Internet history• Chat services • E-mails
![Page 24: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/24.jpg)
OTHER POTENTIAL EVIDENCE
Call registersAttendance registersSurveillance video’sEtc..
Note: Mind regulations for privacy, proportionality and subsidiarity
![Page 25: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/25.jpg)
AUDIT TRAILS COMBINED
Combining system generated, user generated along with additional information creates a complete audit trailInterrelate and correlate, minding proper synchronization and unique identifiers (don’t assume) (user williamsj does not have to be John Williams)
![Page 26: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/26.jpg)
FORENSIC READINESS
• Be prepared for incidents, they WILL happen • Compliancy• Prevention• Early Warnings• Limit “damage”• Reduction of investigation cost/time• Effectiveness in sanction (HR/Legal/IT)
![Page 27: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/27.jpg)
CASE
‘Did speaker participate in OWASP Belenux 2012 conference’
![Page 28: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/28.jpg)
CASE – CONT
Potential evidence:• Laptop speaker• Network/server logs• Smartphone• Call registers
![Page 29: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/29.jpg)
CASE – CONT
Hard disk evidence• Keyword search• System file analysis
![Page 30: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/30.jpg)
CASE – CONTHits• Unallocated clusters (system generated)
![Page 31: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/31.jpg)
CASE – CONTHits• Pagefile (System generated)
![Page 32: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/32.jpg)
CASE – CONTHits• NTUSER.DAT
![Page 33: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/33.jpg)
CASE – CONTHits• Network data – firewall logs
![Page 34: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/34.jpg)
CASE – CONTHits• E-mailmessages• Message tracking logs• Etc etc
![Page 35: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/35.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS
• Webserver : Logs• Application server/ Middleware: Logs• Database server: Logs, system tables, memory
• Do not limit logfiles: verbose, and no overwrites
![Page 36: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/36.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS
• Applications:
What have YOU instructed the application to log / record ?
![Page 37: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/37.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS• The application “Knows and Sees” a lot !• CAPTURE THAT DATA:• Facilitate detailed logging for the purpose of audit trails:
Who - e.g. UseraccountWhat - (sequence of) ActivityWhen - Date/time stampsWhere - IP-address, geo info, endpoint characteristicsHow - Application navigation behavior
As much and detailed as possible ! Look across bridges, as far as you can see to both ends.
![Page 38: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/38.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS
• Where ?– (Additional) Log files– (system) Event log– Database !
• Mind: – Location and size– Access, Authorization …– Performance
• Forensic principals to be included in your design !
![Page 39: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/39.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS – CONT
• Add monitoring, triggering mechanisms to your (forensic) logging to enhance the traceability with early warning and even prevention advantages.
• It might also support your regular system debugging ;-)
![Page 40: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/40.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS
• Non-repudiation:Perform security tests so that fraudulent people cannot dispute their acts and the operation of your application.
(They will tell your application environment sucks!) Proof they’re wrong !
![Page 41: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/41.jpg)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS - CONT
• And don’t forget the traditional forensic sources:
• Not only application logs contain relevant information
• Consider logs of servers, network peripherals, workstations, syslogs
![Page 42: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/42.jpg)
CONCLUSION
• All activity as shown on screen has potential to be recovered
• New technologies change the forensic landscape as well
• Be prepared for incidents and know how to handle while preserving potential evidence
• Be Forensic Ready! Be pro-active !
![Page 43: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/43.jpg)
And then what ?
• Do not forget about “traditional” forensics• Adjust NOW to the changing landscape !• OWASP has a Forensic project opened in Aug• Let’s ALL contribute:
– We will ALL provide our knowledge and questions– List of tools– Facts about current forensic techniques (detailed techstuff)– Your environments and challenges– Compose a Forensics Ready (Secure) Application framework– Create new tools ?
![Page 44: Vest Forensics presentation owasp benelux days 2012 leuven](https://reader036.fdocuments.net/reader036/viewer/2022081413/546830daaf79599d558b4952/html5/thumbnails/44.jpg)
Thank you
For any intermediate questions and suggestions:
– [email protected] (Marc Hullegie)– [email protected] (Kees Mastwijk)
www.vest.nl
See you all at the “OWASP Forensic Guide Project”http://owasp.org/index.php/owasp_forensic_guide_project