concept
play

Concept 1 Nelson Uto - Sandro Melo - Brasil - 1 The first stage of - PowerPoint PPT Presentation

Feb 05, 2023 •544 likes •1.53k views

Concept 1 Nelson Uto - Sandro Melo - Brasil - 1 The first stage of this tutorial was developed by, Sandro Melo 4NIX (www.4nix.com.br) and Nelson Uto, with the goal to be a reference in the studies of the Computer Forensic Course, using

  1. Concept 1 Nelson Uto - Sandro Melo - Brasil –- 1

  2. The first stage of this tutorial was developed by, Sandro Melo – 4NIX (www.4nix.com.br) and Nelson Uto, with the goal to be a reference in the studies of the Computer Forensic Course, using many tools as FOSS (Free and Open Source Software). The second stage with Andreas that about Forensic Hand On (really)! Concept 2 Nelson Uto - Sandro Melo - Brasil –- 2

  3. About Sandro Melo currently working for Locaweb (the biggest hosting company of Latin America) as an Archtecth Linux and Incident Response of Secutiy Member Group, is Proctor of LPI and BSDA certification , has worked for 4NIX as an instructor of Network Security, Pentest and Computer Forensic in courses throughout Brazil, and also is Invited Professor in Lavras University - UFLA (MG), FACID (PI), IBTA College (SP), Portiguar University (RN), Air Force Institute of Technology - ITA (SP), Atual da Amazonia College (RR) and Chair Professor of Operating Systems in Bandtec College (SP). He holds a master’s degree in Network Engineering from Institute Search of Sao Paulo – IPT / USP. He is a writer and technical reviewer, author of four books published in Brazil by Altabooks publisher. Throughout his career, spanning more than eighteen years, he worked in projects for the biggest companies, as example: IBM, EMC, EDS/HP, banks; many organizations of the Brazilian government and also for militaries organizations. CONCEPTS 3 3 Nelson Uto - Sandro Melo - Brasil –- 3

  4. About Nelson Uto She has been an Information Technology professional for 13 years and an Information Security specialist for the last 7 years. He currently works at CPqD Telecom & IT Solutions as a Security Consultant and Researcher, in the areas of Cryptography and Application Security, and also as a PCI QSA and a PCI PA-QSA: he worked on cryptographic key management, evaluated free libraries supporting elliptic curve cryptography for the XScale and x86 platforms, performed pentests on several web applications as part of a risk analysis project, prepared hardening guidelines for Oracle and Unix systems, researched the application of K-Means clustering algorithm for semiautomatic generation of security event correlation rules, specified a security event management system, and elaborated security policies. CONCEPTS 4 4 Nelson Uto - Sandro Melo - Brasil –- 4

  5. Introduction In past, a server configured their risks but these risks were physically dimensioned, corresponding to the limits of the LAN of the corporation or institution. The Internet has radically changed this scenario. It is more secure than a system with Firewall or other security devices, there will always be the possibility of human error or hitherto unknown failure in the operating system or applications, whether proprietary or FOSS system. Given this degree of risk, at first intangible, the threat of an invasion is something that we can't overlook. In this context, the forensic techniques are essential during the response to an incident, to identify where the computer has violated its security, what was changed, the identity of the attacker and preparing the environment for expertise of Forensic Computer. Bearing in mind the care of an expert as a Computer Forensic, invasion is electronic crime. A digital evidence must be preserved so that it can have value. CONCEPTS 5 5 Nelson Uto - Sandro Melo - Brasil –- 5

  6. Sandro Melo Nelson Uto Sandro M Melo lo Nelso Ne lson Ut Uto sandro ro@4nix.com. m.br sandro@4nix.com.br uto to.cseg@gma mail.com uto.cseg@gmail.com sandro ro@ginux.ufl fla.br sandro@ginux.ufla.br CONCEPTS 6 6 Nelson Uto - Sandro Melo - Brasil –- 6

  7. Firs irst Time t Time : : First Time : “ HANDS ON “ HANDS ON “ POS OST M MOR ORTEM POST MORTEM FOR ORENS NSIC ANA NALYSIS w with ith FORENSIC ANALYSIS with specif sp ific ics F s Forensic sic F FOS OSS T TOOL OOLS” specifics Forensic FOSS TOOLS” CONCEPTS 7 7 Nelson Uto - Sandro Melo - Brasil –- 7

  8. (Bru (B rush shing bits, ts, data mining, se seeking fo for r (Brushing bits, data mining, seeking for evidence ces s and Arti Artifa facts) cts) evidences and Artifacts) CONCEPTS 8 8 Nelson Uto - Sandro Melo - Brasil –- 8

  9. “I I nitial Concepts ” “ l Concepts ” nit itia ial C Concept 9 Nelson Uto - Sandro Melo - Brasil –- 9

  10. Network Forensics Post Mortem Forensics Live Forensics Physical Layer Nelson Uto - Sandro Melo - Brasil –- 10

  11. Correlations of Forensic Evidences found. Post Mortem Forensics Live Network Forensics Forensics Concept 11 Nelson Uto - Sandro Melo - Brasil –- 11

  12. Volatility vs Life Time (RFC3227 ) Mediums NETWORK FORENSICS HARD Post Mortem Analysis DiSK Process. Live Analysis RAM NETWORK Memory FORENSICS Life time Network Traffic Periferic Memory Register Cache Volatility Level (least to most)

  13. Volatility vs Life Time (RFC3227) Post Mortem Forensics Mediums Time Life Hard disk Network Forensics Process. RAM memory Network traffic Live Periferic Memory Forensics Register and Cache Volatility Level (least to most)

  14. Network Forensics collecting info from network info about appliances network traffic Gathering evidence of During Live Network Forensics Analysis Forensics Analysis and correlation of Logs Forwarding artifacts and information to Post Mortem Forensics PCAP file Analysis (IDS / HoneyPot) Artifacts recovery

  15. Post Mortem Analysis Hard Disk Timeline analysis in creation Evidence Correlation between 5 layers Live and Network Forensics File System Analysis Creating the Artifact forensic report Analysis Identifications of potentiaI artifacts Static Dynamic Analysis Analysis

  16. Initial System Analysis Several actions can be taken in an attempt to find evidence and artifacts related to Security Incidents under investigation. Knowing the “bad guy's” Modus Operandi helps the Computer Forensic Expert to do her/his job. However, unusual and stealth behavior will always represent a challenge. Concept 16 Nelson Uto - Sandro Melo - Brasil –- 16

  17. Initial System Analysis “Bad guys” who do not have advanced technical knowledge have a Modus Operandi that usually leaves behind evidence of their actions. Concept 17 Nelson Uto - Sandro Melo - Brasil –- 17

  18. Post Mortem – Correlations Correlate Correlate Live Forensics Net Forensics String analysis in 5-layer the Analysis Hard Drive Concept 18 Nelson Uto - Sandro Melo - Brasil –- 18

  19. Byte Map creation The creation of an Image String file, as a first step, may allow the identification of relevant information. # strings -a image.img | tee image.img.strings The use of REGEX when dealing with string files is an essential mechanism. This way, the use of tools like: GREP, EGREP, GLARK are useful to extract clues. Concept 19 Nelson Uto - Sandro Melo - Brasil –- 19

  20. Strings vs Regex grep -i“tar\.gz$” imagem.string egrep --regexp=“\.tgz|\.zip|\.bz2|\.rar|\.c” imagem.string Concept 20 Nelson Uto - Sandro Melo - Brasil –- 20

  21. Strings vs Regex grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9] {1,3}" imagem.string grep -i "\/exploit\/" imagem.string grep -i "\/exploits\/" imagem.string grep -i "rootkit\/" imagem.string grep -i "\/\.\.\ " imagem.string Concept 21 Nelson Uto - Sandro Melo - Brasil –- 21

  22. Strings vs Regex grep -i "\/bk\/" image.string grep -i "xpl" image.string grep -i "force" image.string grep "\/\.\.\.\/" image.string grep "SSH_CLIENT=" image.string Concept 22 Nelson Uto - Sandro Melo - Brasil –- 22

  23. Extracting strings through key words A practical way to do this is through the generation of a file with key words and usual expressions, aiming to automatize the search. # cat image.img.strings | grep -i -f arq.txt # cat image.img.strings | egrep -i –color -f arq.txt # cat image.img.strings | grark -N -i -f arq.txt Concept 23 Nelson Uto - Sandro Melo - Brasil –- 23

  24. ” ” is ” “Media Analysis Media ia An Analy lysis “ Using the 5-layer concept Using the 5-layer concept (Image: Hard drives, USB-drives, flash (Image: Hard drives, USB-drives, flash memory drives ...) memory drives ...) CONCEPTS 24 24 Nelson Uto - Sandro Melo - Brasil –- 24

  25. The 5 Layers File Analysis of information from Files Layer (Artifact identification) Metadata Information extracted from file Layer Table (e. g. Inode, Fat, MFT) File System Specific information about files and directories Layer Info about the boot sector Data structure, partitioning, type of file Layer system Physical Media (e.g. Hardware identification: Layer size, type, format, vendor) Concept 25 Nelson Uto - Sandro Melo - Brasil –- 25

  26. Physical Layer ” “ Physical Layer ” “ (Analysis ysis o of i informa rmatio ion fro rom m (Analysis of information from media me ia a and/or ima image) media and/or image) Physical Layer Nelson Uto - Sandro Melo - Brasil –- 26

  27. Physical Layer Physical Layer This is where the Expert should gather and document information about related data storage devices, such as: Hard disk drives Removable media Physical Layer Nelson Uto - Sandro Melo - Brasil –- 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The MEDEORA-HIV Database Agenda Concept Concept Features Interfaces Concept Quality

The MEDEORA-HIV Database Agenda Concept Concept Features Interfaces Concept Quality

The MEDEORA-HIV Database Agenda Concept Concept Features Interfaces Concept Quality Assurance Reporting Development of a Database for local use in outpatient centers AREVIR Standardized software and data format Future

448 views • 17 slides
1 The Concept of Strategy The Concept of

1 The Concept of Strategy The Concept of

1 The Concept of Strategy The Concept of Strategy Karim Mazaheri Jan-2013 1 Aero. Eng. Dept. Sharif Univ. of Tech.

412 views • 12 slides
Concept presentation Concept presentation London, 6th and 7th of May 2010 MISSION: MISSION:

Concept presentation Concept presentation London, 6th and 7th of May 2010 MISSION: MISSION:

Concept presentation Concept presentation London, 6th and 7th of May 2010 MISSION: MISSION: Cost efficient solutions for environmentally friendly CO 2 transport Company History and Milestones: 2002 Early stages of idea- and concept

998 views • 71 slides
What are the Big Ideas of an IB Education? IB is Concept Based A concept is a big

What are the Big Ideas of an IB Education? IB is Concept Based A concept is a big

What are the Big Ideas of an IB Education? IB is Concept Based A concept is a big ideaa principle or notion that is enduring and is not constrained by a particular subject matter or place in time. Concepts represent IDEAS

344 views • 16 slides
SML CONCEPT 1 SML CONCEPT 1 SML CONCEPT 1 Design 1 Main features 1 Large yoke arms and yoke

SML CONCEPT 1 SML CONCEPT 1 SML CONCEPT 1 Design 1 Main features 1 Large yoke arms and yoke

SML CONCEPT 1 SML CONCEPT 1 SML CONCEPT 1 Design 1 Main features 1 Large yoke arms and yoke base 2 Deep cast aluminium pan tube base 3 Pan tube base can incorporate components as well as display and keypad 4 Separate double ended handle

509 views • 38 slides
Concept Mix : Self-Service Analytical Data Integration Based on the Concept-Oriented Model

Concept Mix : Self-Service Analytical Data Integration Based on the Concept-Oriented Model

Concept Mix : Self-Service Analytical Data Integration Based on the Concept-Oriented Model Alexandr Savinov Database Technology Group Technische Universitt Dresden, Germany Data Commander - http://conceptoriented.com 1 Concept Mix :

213 views • 8 slides
Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux Laboratory? ! ! The Flux Box holds the archives of many years of Flux creations and Flux Laboratory is a pluridisciplinary space, based in both

262 views • 11 slides
More Events CS 51 and CSCI E-51 April 5, 2014 . Road map The concept Using events

More Events CS 51 and CSCI E-51 April 5, 2014 . Road map The concept Using events

Supplementary Video: More Events CS 51 and CSCI E-51 April 5, 2014 . Road map The concept Using events Implementation of events UI events 2:1 The concept 3:1 The concept 3:2 The concept 3:3 The concept 3:4 The concept

703 views • 49 slides
THE INCOMPARABLE Incomparable A concept that is unique in every way since 1990 # A concept you

THE INCOMPARABLE Incomparable A concept that is unique in every way since 1990 # A concept you

THE INCOMPARABLE Incomparable A concept that is unique in every way since 1990 # A concept you will not find Objectif ? anywhere else in the world One of a kind since its creation in 1990, the Rallye Acha des Gazelles du Maroc is

479 views • 33 slides
1 CONCEPT 2PHASES 4 FUNCTIONALCOMPLEXES 9ACTIONS 1 CONCEPT SINGLE TOPICAL PRODUCT 1

1 CONCEPT 2PHASES 4 FUNCTIONALCOMPLEXES 9ACTIONS 1 CONCEPT SINGLE TOPICAL PRODUCT 1

1 CONCEPT 2PHASES 4 FUNCTIONALCOMPLEXES 9ACTIONS 1 CONCEPT SINGLE TOPICAL PRODUCT 1 CONCEPT 2PHASES 4 FUNCTIONALCOMPLEXES 9ACTIONS Lipophilic phase protects the active principles of the formulations from oxidation. At the same time

510 views • 33 slides
What is CYSP? Concept Young Scholars Program is a new program for all Concept Schools that will

What is CYSP? Concept Young Scholars Program is a new program for all Concept Schools that will

What is CYSP? Concept Young Scholars Program is a new program for all Concept Schools that will focus on academic challenges, healthy lifestyle, building confidence, volunteerism, exploration, and many fun activities. Inspired by Congressional

621 views • 13 slides
Formal Concept Analysis I Contexts, Concepts, and Concept Lattices Sebastian Rudolph

Formal Concept Analysis I Contexts, Concepts, and Concept Lattices Sebastian Rudolph

Formal Concept Analysis I Contexts, Concepts, and Concept Lattices Sebastian Rudolph Computational Logic Group Technische Universit at Dresden slides based on a lecture by Prof. Gerd Stumme Sebastian Rudolph (TUD) Formal Concept Analysis

570 views • 23 slides
concept design concept design TABLE OF CONTENTS 01 04 characteristics plans 02 05

concept design concept design TABLE OF CONTENTS 01 04 characteristics plans 02 05

Logan Gillet, Luis Gonzalez, Isabella Healion concept design concept design TABLE OF CONTENTS 01 04 characteristics plans 02 05 materials section 03 06 area chart + facade + parking + market 3D 01 characteristics

698 views • 42 slides
ELT Main Structure earthquake protection system concept: analysis and simulations Concept

ELT Main Structure earthquake protection system concept: analysis and simulations Concept

ELT Main Structure earthquake protection system concept: analysis and simulations Concept Hydraulic system based on oil cylinders connected to accumulators Concept: Accumulators Accumulators configuration A and B Bladder Piston Modelling

228 views • 22 slides
CONCEPT Standard Model CAPACI TY 9K, 12K, 18K & 24K BTU Launched in 2011 The Concept

CONCEPT Standard Model CAPACI TY 9K, 12K, 18K & 24K BTU Launched in 2011 The Concept

CONCEPT Standard Model CAPACI TY 9K, 12K, 18K & 24K BTU Launched in 2011 The Concept Appealing Design to all consumers Anti-virus Filter Full High density anti-virus filters Triple Protectors Quality Protection Good Sleep I I

612 views • 26 slides
Representation of Concept Representation of Concept Specialization Distance through

Representation of Concept Representation of Concept Specialization Distance through

Representation of Concept Representation of Concept Specialization Distance through Specialization Distance through Resemblance R Relations elations Resemblance Miguel-ngel Sicilia, Elena Garca*, Paloma Daz, Ignacio Aedo DEI

247 views • 12 slides
HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 -

HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 -

1 HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 - GISTRE Not LSE team 3 SUMMARY BIOS UEFI Boot a Linux kernel Boot a Multiboot compliant kernel 4 BIOS 5 OVERVIEW Basic

788 views • 48 slides
21/02/2012 CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module

21/02/2012 CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module

21/02/2012 CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives BIOS and boot process Storage devices Partitions Computer Hardware

777 views • 15 slides
GUID Partition Table Unified Extensible Firmware Interface (UEFI) Master Boot Record (MBR)

GUID Partition Table Unified Extensible Firmware Interface (UEFI) Master Boot Record (MBR)

GUID Partition Table Unified Extensible Firmware Interface (UEFI) Master Boot Record (MBR) GUID Partition Table (GPT) Computer Center, CS, NCTU Unified Extensible Firmware Interface Legacy BIOS limitations 16-bit processor mode

474 views • 14 slides
Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1-1 Chapter 2 Disk Operating System (DOS)

Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1-1 Chapter 2 Disk Operating System (DOS)

Fall 2009 Lecture 2 Operating Systems: Configuration & Use C IS345 Disk Operating System (DOS) Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1-1 Chapter 2 Disk Operating System (DOS) Finding DOS and Understanding its Strengths and

1.04k views • 66 slides
Master Boot Record (MBR) Created when the disk is

Master Boot Record (MBR) Created when the disk is

Operating Systems II Unit OS8: File System 8.5. Co-Loca+ng File Systems Prof. Dr. Andreas Polze, Andreas Grapentin, Bernhard Rabe Master Boot Record (MBR) Created when the disk is

922 views • 5 slides
File Systems: Naming and Performance CS 111 Operating Systems Peter Reiher Lecture 14 CS 111

File Systems: Naming and Performance CS 111 Operating Systems Peter Reiher Lecture 14 CS 111

File Systems: Naming and Performance CS 111 Operating Systems Peter Reiher Lecture 14 CS 111 Page 1 Spring 2015 Outline File naming and directories File volumes File system performance issues File system reliability Lecture

928 views • 77 slides
Microsoft File System Microsoft File System Instructor: Chia-Tsun Wu. 11/25/2004 ACCESS IC LAB

Microsoft File System Microsoft File System Instructor: Chia-Tsun Wu. 11/25/2004 ACCESS IC LAB

Graduate Institute of Electronics Engineering, NTU Microsoft File System Microsoft File System Instructor: Chia-Tsun Wu. 11/25/2004 ACCESS IC LAB ACCESS IC LAB Graduate Institute of Electronics Engineering, NTU Outline Outline Types of

1.1k views • 61 slides
GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The

GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The

GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The local architectural scenery GEOM fundamentals. (tea break) Slicers (not a word about libdisk!) Tales of the unexpected. Q/A etc.

1.04k views • 68 slides

More recommend