adam daniel ruxcon 2014 introduction who am i stared
play

Adam Daniel Ruxcon 2014 Introduction Who Am I Stared working in - PowerPoint PPT Presentation

Feb 05, 2023 •197 likes •378 views

The Devil Is In The Detail Adam Daniel Ruxcon 2014 Introduction Who Am I Stared working in Data Recovery and Data Conversion in 1992 with Doctor Disk. Begun working in Computer Forensics in 1998 with Forensic Data Services.

  1. The Devil Is In The Detail Adam Daniel – Ruxcon 2014

  2. Introduction – Who Am I Stared working in Data Recovery and Data Conversion in • 1992 with Doctor Disk. Begun working in Computer Forensics in 1998 with • Forensic Data Services. Worked for Deloitte and Ernst and Young in their • forensic and eDiscovery divisions for a number of years. Original Ruxcon crew (Did the 1 st talk at the 1st rux in • 2003). Now a Manager with Ferrier Hodgson Forensic IT. • Devil in the Detail – Ruxcon 2014 Page 2

  3. Computer Forensic Tools – A Brief History Direct Disk and Binary/Hex editors Nortons Disk Edit • Winhex • Acronis • Media Tools • Linux Binary Editors\Custom Recovery Tools • Capabilities Direct Disk Access • Media data surface analysis in hex. • File system analysis (Partition tables, FAT tables, MFT). • Simple keyword searching (no indexing). • Data recovery and extraction (File system repair, simple carving) • Devil in the Detail – Ruxcon 2014 Page 3

  4. Computer Forensic Tools – A Brief History Dedicated Forensic Analysis tools. Encase (Expert Witness) • Forensic Tool Kit (FTK) • Xways (Winhex) • FEX – Forensic Explorer (Just released) • Capabilities Media data surface analysis in hex. • File system analysis. • Artefact Analysis. • Compound file support. • Advanced keyword searching (indexing in FTK, bookmarks). • File viewers. • Galley Viewer • Data Carving, Data recovery. • Advanced Scripting (Enscript) • Advanced categorisation (FTK) • Devil in the Detail – Ruxcon 2014 Page 4

  5. Computer Forensic Tools – A Brief History Advanced File Analysis and legal review. NUIX • Intella • Legal review platforms (Relativity, Ringtail, EDT) • Capabilities Advanced meta data extraction. • Compound file support. • Advanced keyword searching (Complex Queries). • Text Analytics, Visual Analytics. • File format support. • Data Carving, Data recovery. • Advanced Scripting (Nuix). • Advanced legal review functionality • Devil in the Detail – Ruxcon 2014 Page 5

  6. Computer Forensic Tools – A Brief History Artefact Analysis and Timeline Generation. (Point and Click scriptkiddy forensics?) Log2timeline • Internet Evidence Finder • Various individual tools, scripts, parsers. • Capabilities Individual Artefact analysis modules • Visual Timeline generation (IEF) • Non-standard artefact modules • Centralised reporting • Expanding support for new analysis techniques • (Shellbags, Cloud storage) Data offsets, contextual data provided. • Devil in the Detail – Ruxcon 2014 Page 6

  7. Forensic Artefacts – Time Line Analysis File System MTF, File Entries, FAT, Log, Journal • Registry MU lists, USB Analysis, Proprietary software entries • Link Files Recent Files, Most Used, Shortcuts • Jump Lists Recent Files, Most Used, Shortcuts • Internet History Searches, Web history, Recent files, Webmail, Cloud • Email Sent, Received, Recipient Lists, address books, calendar, Web mail • Instant messenger Discussions, files sent, system access • System Restore Points Registry Backups, File backs, Links files etc • Prefetch Software Access • Shell Bags File access, Software Access • Devil in the Detail – Ruxcon 2014 Page 7

  8. Time Line Case Study – Online Fraud Australian Manufacturing organisation • Numerous Asia-Pac suppliers • Approximately $1 million fraud • Attacker utilised a weak point in the business • process (supplier IT security, payment process) “ Man-in-the- middle” style deception • Analysis Tools Used – Nuix, LibPDF, ExifTool • Time Line Analysis • Devil in the Detail – Ruxcon 2014 Page 8

  9. Time Line Case Study – Online Fraud 2 Web Mail 1 Client Supplier Early September 2013 • Supplier “hacked” by unknown group (1) • Causes minor interruption in business processes between supplier and client • Hacking incident is mentioned to the client in an informal email. (2) • Supplier contact utilises a account for communications with client • Attacker begins monitoring supplier operations • Devil in the Detail – Ruxcon 2014 Page 9

  10. Time Line Case Study – Online Fraud 3 Web Mail 4 Client Supplier Late September 2013 • Supplier sends a payment reminder email to client ($1 million) (3) • Attacker observes outgoing email. Creates a web based account with a • name very similar to the supplier’s personal account (4) Devil in the Detail – Ruxcon 2014 Page 10

  11. Time Line Case Study – Online Fraud Web Mail x3 5 Client Supplier Late September 2013 • Attacker sends an email from the fake account to the client providing new • banking details. States need to change the account due to an audit. (5) Over the course of the next three days the attacker resends this three times • Devil in the Detail – Ruxcon 2014 Page 11

  12. Time Line Case Study – Online Fraud 6 Web Mail 7 Client Supplier Yahoo Late September 2013 • Client (following standard policies) requests that the change is verified via a • formal letter signed by Supplier MD on company letterhead. (6) Attacker disables the client’s email server with a Denial of Service attack (7) • Creates a Yahoo email account under the name of the client account manager • Sends a request to supplier for a document signed by MD “for their records”. Devil in the Detail – Ruxcon 2014 Page 12

  13. Case Study – Recent Online Fraud 10 8 Web Mail Client Supplier Yahoo Early October 2013 9 • Email to the Supplier uses the same tactics (previous text, sig block etc). • Supplier sends a PDF’d letterhead document and sends to the attacker (8) • Attacker edits the PDF to reflect the desired bank account changes (9) • Attacker sends the altered PDF to the Client. The client now has a formal, • signed request to alter the bank account details on Supplier letterhead (10) Devil in the Detail – Ruxcon 2014 Page 13

  14. Case Study – A Complex Attack 11 Web Mail 12 Client Supplier Early October 2013 • Supplier had been trying to send a follow up email to the legit client during • the email server downtime. When the server is repaired this email arrives. Client responds that the payment is going through soon (11) • Attacker sends an email to the client reinforcing the changed bank account • details. Devil in the Detail – Ruxcon 2014 Page 14

  15. Time Line Case Study – Online Fraud 13 14 Web Mail 15 Client Supplier Early October 2013 • Client makes payment into attackers bank account. • Supplier informs Client that payment has not been received (13) • Client replies stating that payment should have gone through (14) • Attacker replies to this email stating that there have been problems with • their accounts and not to worry about it for a few days (15) Devil in the Detail – Ruxcon 2014 Page 15

  16. Questions or Comments? Adam.daniel@fh.com.au Devil in the Detail – Ruxcon 2014 Page 16

  17. DON’T LET THE ALIENS PROBE YOUR BUM! JOIN THE RESISTANCE!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tools of the NSA Playset Ruxcon 2014 Joe FitzPatrick Mike Ryan What is the NSA Playset? ()

Tools of the NSA Playset Ruxcon 2014 Joe FitzPatrick Mike Ryan What is the NSA Playset? ()

Tools of the NSA Playset Ruxcon 2014 Joe FitzPatrick Mike Ryan What is the NSA Playset? () nsaplayset.org 3D NSA Playset Price Sheet CONGAFLOCK - <$1 A Retroreflector, which is a passive device that reflects differently when a

786 views • 49 slides
Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Securing The

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Securing The

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Securing The Network - TLS & SSH IETF Standards: SSH - RFC 4250-4255 Remote shell File transfer TCP port forwarding, socks proxy Pipe commands over

679 views • 35 slides
Finding Bugs the Rube-Goldberg Way Ruxcon 2014 mark.brand@datacom.com.au/c01db33f@gmail.com Me

Finding Bugs the Rube-Goldberg Way Ruxcon 2014 mark.brand@datacom.com.au/c01db33f@gmail.com Me

Finding Bugs the Rube-Goldberg Way Ruxcon 2014 mark.brand@datacom.com.au/c01db33f@gmail.com Me Work - Datacom TSS - pentesting/code auditing/research Play - Same as last year :-P - When I have time, its nice to try and break things.

469 views • 21 slides
Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Why you should bolt

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Why you should bolt

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Why you should bolt on some crypto There could be 25+ routers between client and server on the internet. One of them is operated by the barista that burnt your latte.

403 views • 28 slides
WINDOWS SHELLBAGS FORENSICS IN DEPTH RUXCON 2014 Vincent Lo WHO AM I? Vincent Lo CISSP, GCFA

WINDOWS SHELLBAGS FORENSICS IN DEPTH RUXCON 2014 Vincent Lo WHO AM I? Vincent Lo CISSP, GCFA

WINDOWS SHELLBAGS FORENSICS IN DEPTH RUXCON 2014 Vincent Lo WHO AM I? Vincent Lo CISSP, GCFA Gold, GCIH, GREM, CCE Blog: lylcdigitalforensics.blogspot.com Twitter: @_VincentLo_ CONTENT What is ShellBag? ShellBag Structure ShellBag

1.03k views • 51 slides
Introduction Daniel Arribas-Bel & Thomas de Graaff September 5, 2014 Introduction Why this

Introduction Daniel Arribas-Bel & Thomas de Graaff September 5, 2014 Introduction Why this

Introduction Daniel Arribas-Bel & Thomas de Graaff September 5, 2014 Introduction Why this workshop? In the social sciences few attention to what tools to use (and why they make sense) Increasing need for/in openness &

750 views • 28 slides
BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S.. Leg egacy acy BI BIOS 1. CPU

1.36k views • 101 slides
RUXCON Courtesy of google images Metamorphic template with

RUXCON Courtesy of google images Metamorphic template with

Oct, 2016 Senior Malware Scientist ,Trend Micro spark@trendmicro.com RUXCON Courtesy of google images Metamorphic template with parameters #1 Original Code

701 views • 43 slides
Scalable Semantic Web Data Management Using Vertical Partitioning Daniel Abadi 2 1 , Adam

Scalable Semantic Web Data Management Using Vertical Partitioning Daniel Abadi 2 1 , Adam

Scalable Semantic Web Data Management Using Vertical Partitioning Daniel Abadi 2 1 , Adam Marcus 2 , Samuel Madden 2 , and Kate Hollenbach 2 1 Yale University 2 MIT September 27, 2007 DBLife Grievance 9/27/2007 Daniel Abadi -

637 views • 29 slides
A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / TX5IT Ruxcon - 2015-10-24 A

A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / TX5IT Ruxcon - 2015-10-24 A

A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / TX5IT Ruxcon - 2015-10-24 A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding

640 views • 43 slides
Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel

Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel

Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel Kruck 1 / 41 Outline Motivation 1 Background - GPUs 2 Profiler 3 NVIDIA Tools Lynx Optimizations 4 Conclusion 5 09/02/2014 Profiling

441 views • 41 slides
Daniel Foltnek daniel.foltynek@gmail.com Brussels, 8. 10. 2014 Workshop on ITI instrument 2014

Daniel Foltnek daniel.foltynek@gmail.com Brussels, 8. 10. 2014 Workshop on ITI instrument 2014

Olomouc Metropolitan Area Integrated Territorial Investments Daniel Foltnek daniel.foltynek@gmail.com Brussels, 8. 10. 2014 Workshop on ITI instrument 2014 2020: New approach to territorial development In Czech Republic, more than

307 views • 18 slides
Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently Welcome to the

648 views • 43 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Cadastre 2014 Cadastre 2014 Introduction Trend Analysis Visions Jrg Kaufmann, Daniel

Cadastre 2014 Cadastre 2014 Introduction Trend Analysis Visions Jrg Kaufmann, Daniel

Working Group 7.1 FIG-Commission 7 "Cadastre 2014" Cadastre 2014 Cadastre 2014 Introduction Trend Analysis Visions Jrg Kaufmann, Daniel Steudler - 1 - Brighton, July 1998 Working Group 7.1 FIG-Commission 7 "Cadastre

434 views • 18 slides
Data Speculation Adam Wierman Daniel Neill Lipasti and Shen. Exceeding the dataflow limit, 1996.

Data Speculation Adam Wierman Daniel Neill Lipasti and Shen. Exceeding the dataflow limit, 1996.

Data Speculation Adam Wierman Daniel Neill Lipasti and Shen. Exceeding the dataflow limit, 1996. Sodani and Sohi. Understanding the differences between value prediction and instruction reuse , 1998. Architecture Carnegie Mellon 1 School of

315 views • 27 slides
Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations Jelena Isacenkova Olivier

Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations Jelena Isacenkova Olivier

Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations Jelena Isacenkova Olivier Thonard Andrei Costin Aurelien Francillon Davide Balzarotti Nigerian Scam Trap 2 Nigerian Scam Trap 3 Spam vs. 419 Scam 419 SCAM SPAM

804 views • 36 slides
LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

Outline Launching of t he LHC Logging proj ect Mandat e, scope and obj ect ives LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic f unct ionalit ies Filt ering of dat a I nt erf acing t o ot

667 views • 3 slides
A First Look at Traffic on Smartphones by Falaki et al. Andrew Zafft CS Department Agenda

A First Look at Traffic on Smartphones by Falaki et al. Andrew Zafft CS Department Agenda

A First Look at Traffic on Smartphones by Falaki et al. Andrew Zafft CS Department Agenda Objective Study Structure Outcomes & Observations Future Work / Citations Conclusions 2 Worcester Polytechnic Institute

581 views • 21 slides
FLEET COMMANDER THE EFFICIENT WAY OF MANAGING THE DESKTOP PROFILES OF YOUR FLEET! FABIANO

FLEET COMMANDER THE EFFICIENT WAY OF MANAGING THE DESKTOP PROFILES OF YOUR FLEET! FABIANO

FLEET COMMANDER THE EFFICIENT WAY OF MANAGING THE DESKTOP PROFILES OF YOUR FLEET! FABIANO FIDNCIO OLIVER GUTIRREZ WHAT IS A DESKTOP PROFILE? A GROUP OF DESKTOP RELATED SETTINGS ASSOCIATED TO A USER, GROUP, HOST OR HOSTGROUP WHAT IS FLEET

816 views • 14 slides
HTML Email In Drupal The Easy Way! Dennis Jarecke Drupal Camp Ohio November 15, 2014

HTML Email In Drupal The Easy Way! Dennis Jarecke Drupal Camp Ohio November 15, 2014

HTML Email In Drupal The Easy Way! Dennis Jarecke Drupal Camp Ohio November 15, 2014 Demonstration Module hook_menu calls PHP function which populates parameters and calls drupal_mail() . This is a great way to test email in dev or even in

319 views • 12 slides
Learning to Detect Phishing Emails Ian Fette Norman Sadeh Anthony Tomasic (School of CS, CMU)

Learning to Detect Phishing Emails Ian Fette Norman Sadeh Anthony Tomasic (School of CS, CMU)

Learning to Detect Phishing Emails Ian Fette Norman Sadeh Anthony Tomasic (School of CS, CMU) Presented by: Ashique Mahmood Dept of Computer & Information Sciences University of Delaware CI SC 879 - Machine Learning for Solving Systems

1.22k views • 22 slides
CPSC 481 Tutorial 4 Intro to Visual Studio and C# Brennan Jones bdgjones@ucalgary.ca (based

CPSC 481 Tutorial 4 Intro to Visual Studio and C# Brennan Jones bdgjones@ucalgary.ca (based

CPSC 481 Tutorial 4 Intro to Visual Studio and C# Brennan Jones bdgjones@ucalgary.ca (based on previous tutorials by Alice Thudt, Fateme Rajabiyazdi, and David Ledo) Announcements I emailed you an example showing how the evolved

341 views • 31 slides
Elec%ons April 18, 2013 A+endance Pizza 2 pieces per

Elec%ons April 18, 2013 A+endance Pizza 2 pieces per

Elec%ons April 18, 2013 A+endance Pizza 2 pieces per person Election Rules Nominations have been closed except for positions which are vacant All nominees when they are up for a position

497 views • 16 slides

More recommend