dfir
play

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois - PowerPoint PPT Presentation

Feb 24, 2023 •590 likes •1.03k views

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly. # M.Eng. Cybersecurity # JOATMON Full Stack Developer, Security Engineer, Scripting/Automation, Researcher # Twitter: dev0x01 # Web:

  1. DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01)

  2. >> whois Dev.Dua # Star Wars fan, clearly. # M.Eng. Cybersecurity # JOATMON – Full Stack Developer, Security Engineer, Scripting/Automation, Researcher # Twitter: dev0x01 # Web: code.devdua.me DEV DUA (@dev0x01)

  3. Famous case – BTK Killer “BTK” Serial Killer – Denis Rader, on the run for more than 30 years, Last victim – Kansas, U.S.A. Downfall – • He sent a floppy disk to the police with a letter on it. • Upon forensic investigation, the investigators found a deleted Microsoft Word file. • The metadata recovered showed that the last person to edit the file was authored by “Dennis” • The disk had been used to take printouts at a church Ironically, Rader had sent a floppy disk to the police because the police had previously told him that letters on floppy disks could not be traced. DEV DUA (@dev0x01)

  4. Locard’s Exchange Principle “A criminal is always going to bring something to and leave something from a crime scene.” DEV DUA (@dev0x01)

  5. What will be covered Static! +DFIR Process +Forensic Data Acquisition & Imaging +Analysis of Forensic Images +File Carving DEV DUA (@dev0x01)

  6. What’s DFIR? DF | IR The process of digital forensics can be broken down into three categories of activity: acquisition, analysis, and presentation. Evidence data acquired must be preserved in a way to be presented in a court of law. Tools should preserve this data as well as attached metadata No one should be able to challenge the data collected DEV DUA (@dev0x01)

  7. DFIR Process Acquisition • collection of digital media to be examined. • Depending on the type of examination, media could be physical or digital. • Media to be examined should be treated delicately. At a minimum the acquisition process should consist of • creating a duplicate of the original media (more on this later) • maintaining good records of all actions taken with any original media. DEV DUA (@dev0x01)

  9. DFIR Process Analysis • Examination of the acquired media examination - “identification, analysis, and interpretation” • Identification consists of locating items or items present in the media in question and then further reducing this set to items or artifacts of interest. • These items are then subjected to the appropriate analysis • Finally, the examiner interprets results of this analysis DEV DUA (@dev0x01)

  11. DFIR Process Presentation refers to the process by which the examiner shares results of the analysis phase with the interested party or parties. This consists of generating a report of • actions taken by the examiner, • artifacts uncovered, • meaning of those artifacts. The presentation phase can also include the examiner defending these findings under challenge (in court) DEV DUA (@dev0x01)

  12. Data Acquisition & Imaging DEV DUA (@dev0x01)

  13. Media types Typical media collected during an investigation- + Hard drives (internal and external) + Optical discs (DVDs, CDs, etc) + Removable media (USB keys, SD cards, Compact Flash, etc) + Mobile devices (phones, tablets) DEV DUA (@dev0x01)

  14. Forensic Investigation 101 Forensics should NOT be performed on the actual copy of the data – puts evidence at risk. A bit-for-bit copy of the media must be created and used for the investigation. Why? • Digital evidence is very volatile, accidents can lead to permanent data loss. • By performing forensic analysis on a clone, you give yourself an option to start over if things go awry. DEV DUA (@dev0x01)

  15. Cloning Process Copy from the source drive (drive you want to make a copy of) to a destination drive/space. Destination drive needs to be at least as large as the source drive Typically the drive to be cloned is removed from the system and attached to a hardware cloning device or another computer Some kind of write-blocking device must be put into place before cloning! (Often built into most hardware cloners) DEV DUA (@dev0x01)

  16. Forensic Duplication • The tool must create a forensic duplicate or mirror image of the original storage medium. • The tool must handle read errors in a robust and graceful manner. The tool must not make any changes to the source medium. • The tool must have the ability to be held up to scientific and peer review. Results must be repeatable and verifiable by a third party, if necessary. DEV DUA (@dev0x01)

  17. Imaging tools • dd - linux imaging tool • dc3dd - dd with features: on-the-fly hashing, progress meter, split output files • dcfldd – similar to dc3dd but developed as a fork of dd • Guymager -Linux-based tool with GUI interface • Helix3 – Bootable image, commercial • FTK Imager – commercial DEV DUA (@dev0x01)

  18. Imaging tool: dd dd if=IFILE of=OFILE [options] options: bs = block size - set block size • • count=NUM - copy only NUM blocks from IFILE • skip=NUM - skip ahead NUM blocks in input IFILE conv=noerror, sync - skip unreadable sections (very important • for forensic imaging) DEV DUA (@dev0x01)

  19. Imaging tool: dd dd if=/dev/sda1 of=/mnt/usb/sda.img bs=1M count=700 conv=noerror,sync Input file = /dev/sda1 (first partition on the sda device) • Output file = /mnt/usb/sda.img (sda.img file on the mounted USB • drive) • bs = 1M block size count = only copy the first 700 Blocks (700MB here) • noerror = continue on errors • sync= use synchronized I/O for data and metadata • Example - dd if=/dev/sdb of=sdb_image.img bs=65536 conv=noerror,sync DEV DUA (@dev0x01)

  20. Imaging tool: dcfldd dcfldd \ if=/dev/zero of=zero.img \ hash=md5,sha256 hashwindow=256M \ md5log=md5.txt sha256log=sha256.txt \ bs=8k conv=noerror,sync \ split=256M DEV DUA (@dev0x01)

  21. Imaging tool: dc3dd REMOTE ACQUISITION dc3dd if=/dev/sda1 hash=md5 progress=on | ./nc 192.168.1.3 12345 -w 3 nc – l – p 12345 ssh dev@192.168.72.142 "dd if=~/remote_test.img " | dc3dd hofs=secPG/remote_test_copy.img.0 ofsz=256M hash=md5 hash=sha1 verb=on hlog=secPG/remote-acq- hash.log DEV DUA (@dev0x01)

  22. Remote Acquisition It’s better to image over wire compared to the remote method. DEV DUA (@dev0x01)

  23. DEV DUA (@dev0x01)

  24. Analysis of Forensic Images DEV DUA (@dev0x01)

  25. Analysis Probably the longest step – The analyst must use their skills, experience, and tools to local and interpret artifacts found on the images they analyze. During this phase they should take copious notes of every so you/someone else can repeat those steps and find the same results. Verifiability. DEV DUA (@dev0x01)

  26. How to Analyze? Linking activity to a specific person/user, Identify • relationships between people • Establish a timeline of events Recovering deleted files • • Determining if a system was compromised Identifying websites visited/search engine queries • Determining if/when files were accessed or modified • • Check for hidden or unusual files • • unusual processes and open sockets • unusual application requests suspicious accounts • DEV DUA (@dev0x01)

  27. Types of Data • Active – Data we use every day, typical file can be viewed on the computer. Easy to acquire forensically. • Latent – Data that has been deleted or partially overwritten. Needs to be acquired with forensic tools. • Archival – Backups of data that was active at some point. Acquisition can be easy to near impossible. DEV DUA (@dev0x01)

  28. File Systems The File System keeps track of the files and directories on a computer, their location (physically and logically), as well as the free space (unallocated space) Most common: FAT • NTFS • • HFS+ ext2/3/4 • DEV DUA (@dev0x01)

  29. Sleuth Kit File System Forensics framework 20+ command line utilities Includes tools that operate on – • volumes (aka “media management”), • file system structures, • data unit (or “block”) layer, • metadata (or “ inode ”) layer, • file name layer … DEV DUA (@dev0x01)

  30. [SK] – Volume Layer Tools mmstat command will display the type of volume system in use on the target image file or disk mmls - parses and displays the media management structures on the image file or disk (i.e., the partition table) >> mmls 10-ntfs-autodetect/10-ntfs-disk.dd mmcat streams the content of the specified volume to STDOUT (usually the console). DEV DUA (@dev0x01)

  31. [SK] – File System Layer Tools fsstat command displays file system information - volume names, data unit sizes, and statistical information about the state of the file system. >> fsstat ubnist1.casper-rw.gen3.E01 Note that this tool provides the block size used on the file system. This is important information when carving data from unallocated space. DEV DUA (@dev0x01)

  32. [SK] – Data Unit Layer Tools blkstat command displays information about a specific data unit (allocation status) >> blkstat ubnist1.casper-rw.gen3.E01 521 blkls command lists details about data units. Blkls can also be used to extract all unallocated space of the file system. >> blkls ubnist1.casper-rw.gen3.E01 > ubnist1. casper-rw.gen3.unalloc DEV DUA (@dev0x01)

  33. [SK] – Data Unit Layer Tools blkcat command will stream the content of a given data unit to STDOUT. This is similar in effect to using dd to read and write a specific block. >> blkcat ubnist1.casper-rw.gen3.E01 521 | xxd | head DEV DUA (@dev0x01)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this

15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this

15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this talk about? Determining with some certainty if you have been hacked In a matter of minutes With minimal disturbance to the subject system

518 views • 39 slides
Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF February 2016 1 / 71 Ethan Dodge DFIR @ Nuna Health. DFIR professional and perpetual learner. @__eth0 dodgesec.com 2 / 71 Nuna Health

861 views • 71 slides
DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE

DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE

IM GONNA HAVE TO DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE CLEAN DATA ADD CONTEXT VISUALIZATION SYSMON System Monitor is a Windows system service and device driver that,

769 views • 45 slides
Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien Bachmann @milkmix_ 24 April 2017 OWASP, Geneva INTRO 1 24/04/2017 OWASP, Geneva ABOUT ME 3 Julien Bachmann Current CTO @ Hacknowledge Swiss

677 views • 40 slides
Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017 Who am I ?

Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017 Who am I ?

Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017 Who am I ? R&D director and senior security researcher at CERT-UBIK Smart Things breaker and reverse-engineer Special interest in DFIR 2 Agenda IoT

650 views • 62 slides
Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017 Who are

Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017 Who are

Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017 Who are we ? Nicolas Kovacs Security Consultant at CERT-UBIK DFIR team leader Bounty Hunter Damien Cauquil R&D director and senior

947 views • 56 slides
Distributed forensic collection and analysis Dr Michael Cohen Nick Klein Digital Paleontologist

Distributed forensic collection and analysis Dr Michael Cohen Nick Klein Digital Paleontologist

SESSION ID: SDS-R04 Distributed forensic collection and analysis Dr Michael Cohen Nick Klein Digital Paleontologist Director, Velocidex Enterprises Velocidex Enterprises Director, Klein & Co. Computer Forensics SANS DFIR Certified

748 views • 32 slides
Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential About Us Jonas, GREM Security Risk Advisors (sra.io) Service lines: DFIR, CTA, A&E Clay (ttheveii0x), GREM Security Risk Advisors (sra.io)

723 views • 25 slides
Applying Case-Based Reasoning to Spatial- temporal Analysis of Residential Burglary Crime

Applying Case-Based Reasoning to Spatial- temporal Analysis of Residential Burglary Crime

Applying Case-Based Reasoning to Spatial- temporal Analysis of Residential Burglary Crime Investigation: A Cloud Service Prototype Sheng-Ming Wang, PhD Graduate Institute of Interactive Media Design, National Taipei University of Technology,

537 views • 18 slides
Executive Forum Where/When Session 1 Introductions 2 Who Are We? Background and Credentials

Executive Forum Where/When Session 1 Introductions 2 Who Are We? Background and Credentials

Executive Forum Where/When Session 1 Introductions 2 Who Are We? Background and Credentials 3 Housekeeping Seeing? Hearing? Beepers & cell phones off or mute Restrooms Emergency exits Workbooks

729 views • 71 slides
L Legislative & Ethical Questions i l ti & Ethi l Q ti Regarding DNA and other

L Legislative & Ethical Questions i l ti & Ethi l Q ti Regarding DNA and other

L Legislative & Ethical Questions i l ti & Ethi l Q ti Regarding DNA and other Forensic g g Biometric Databases: Dr. Elazar (Azi) Zadok Police Brig. General (Ret.) P li B i G l (R t ) Director, Forensic Science

572 views • 28 slides
Forensic Inves,ga,ons in Cyberspace: what about big data? Katrin

Forensic Inves,ga,ons in Cyberspace: what about big data? Katrin

Computa*onal Forensics Forensic Inves,ga,ons in Cyberspace: what about big data? Katrin Franke Norwegian Information Security Laboratory (NISlab), Department of Computer Science and Media Technology,

587 views • 35 slides
Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak

Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak

Context A Forensic Event Ontology Assisting Video Surveillance-based Vandalism Detection Conclusions Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak Sobhani 1 Umberto Straccia 2 1Queen Mary

222 views • 19 slides
A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

782 views • 37 slides
Forensic Interviews: Plan to Succeed Charles L. McGimsey, CPA CFE CFF Numbers Dont Lie

Forensic Interviews: Plan to Succeed Charles L. McGimsey, CPA CFE CFF Numbers Dont Lie

Forensic Interviews: Plan to Succeed Charles L. McGimsey, CPA CFE CFF Numbers Dont Lie CAQ Fraud Case Study: Kendallville Bank Dan Davis Court Appointed Accountant How would you determine why customers left? Fraud

305 views • 16 slides
Assessment of Youth at Risk for Violence Shawn S. Sidhu, F.A.P.A. Disclosures I write CME

Assessment of Youth at Risk for Violence Shawn S. Sidhu, F.A.P.A. Disclosures I write CME

Assessment of Youth at Risk for Violence Shawn S. Sidhu, F.A.P.A. Disclosures I write CME questions for the American Psychiatric Associations journal FOCUS All statistics and graphs taken from the FBIs A Study of Active Shooter Incidents

614 views • 42 slides
'Cyber Forensics' "Cyber" is a prefix used to describe a person, thing, or idea as part

'Cyber Forensics' "Cyber" is a prefix used to describe a person, thing, or idea as part

'Cyber Forensics' "Cyber" is a prefix used to describe a person, thing, or idea as part of the computer and information age. Taken from kybernetes , Greek for "steersman" or "governor," it was first used in

1.91k views • 156 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
= EBB Overview 2017 Marks Year Four Up to $3,000 In Accordance with: Appendix

= EBB Overview 2017 Marks Year Four Up to $3,000 In Accordance with: Appendix

EBB Overview Jointly managed by CEA and Cal OES Created to offer retrofit incentives EBB first to promote code-compliant retrofit More than 1 Million homes + = EBB Overview 2017 Marks Year Four Up to $3,000 In

607 views • 60 slides
The Solid Rock My hope is built on nothing less Than

The Solid Rock My hope is built on nothing less Than

The Solid Rock My hope is built on nothing less Than Jesus' blood and righteousness; I dare not trust the sweetest frame, But wholly lean on

362 views • 19 slides
Acts Series Lesson #103 March 26, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #103 March 26, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #103 March 26, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Acts of the Apostles To the end of the earth Acts 1:8 Expansion: Opposition and Acceptance Acts 14:828 Acts 14:8, And

373 views • 24 slides
CrossBow: From Hardware Virtualized NICs t\ to Virtualized Networks Sunay Tripathi, Nicolas

CrossBow: From Hardware Virtualized NICs t\ to Virtualized Networks Sunay Tripathi, Nicolas

CrossBow: From Hardware Virtualized NICs t\ to Virtualized Networks Sunay Tripathi, Nicolas Droux, Thirumalai Srinivasan, Kais Belgaied Aug 17 th . 2009 Sigcomm VISA 2009, Barcelona Sunay Tripathi, Distinguished Engineer, Sun Microsystems Inc

289 views • 24 slides
Post E vent Data Collection Case Studies Andre R. Barbosa, Ph.D. Assistant Professor of

Post E vent Data Collection Case Studies Andre R. Barbosa, Ph.D. Assistant Professor of

Post E vent Data Collection Case Studies Andre R. Barbosa, Ph.D. Assistant Professor of Structural Engineering EERI & DOGAMI: Post-Earthquake Reconnaissance Workshop Portland, Oregon, April 9, 2018 Nepal 2015 Italy 2015 Napa 2014 China

479 views • 34 slides
Vulnerability of Transportation Networks to Traffic-Signal Tampering Aron Laszka 1 , Bradley

Vulnerability of Transportation Networks to Traffic-Signal Tampering Aron Laszka 1 , Bradley

Vulnerability of Transportation Networks to Traffic-Signal Tampering Aron Laszka 1 , Bradley Potteiger 2 , Yevgeniy Vorobeychik 2 , Saurabh Amin 3 , Xenofon Koutsoukos 2 1 University of California, Berkeley 2 Vanderbilt University 3

447 views • 26 slides

More recommend