introduction to security forensics and incident handling
play

Introduction to Security Forensics and Incident Handling Ming Chow - PowerPoint PPT Presentation

Jan 27, 2024 •291 likes •492 views

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

  1. Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow

  2. Topic Outcomes • Acquire data (from a disk) using `dd` • Analyze image of disk from `dd` using forensics tools including Autopsy/Sleuth Kit , Foremost • Recover deleted files off a disk

  3. Scenario Imagine you have been attacked, compromised, or is involved in a criminal incident. What’s the evidence? What happened? When? Who was involved?

  4. What is Forensics? • Preservation (of computer media) • Identification (of computer media) • Extraction (of computer media) • Interpretation • Documentation

  5. The Process • Assess the situation • Acquire data • Analyze data • Report

  6. Law Enforcement: Before Accessing Situation, Obtain Search Warrant

  7. Example of a Search Warrant

  8. Example of a Search Warrant (continued)

  9. Terminology • Volatile data : RAM, processes • Non-volatile data : Hard disks, USB drives • Physical acquisition : Bit-by-bit copy of entire physical store • Logical acquisition : Bit-by-bit copy of directories and files on a file system partition • Write blockers : "Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands” [1] • Chain-of-custody : Chronological documentation from "crade-to-grave" (i.e., warrant, seizure, custody, control, transfer, analysis, disposal)

  10. To Ponder • What could possibly go wrong if you don’t use a write blocker to acquire evidence, data? • What are the pros and cons of physical vs logical acquisition? When would you want to use one over the other?

  11. Forensics Tools • strings • md5/sha1/sha256/sha512 • dd • FTK • Encase • stegdetect • Sleuth Kit and Autopsy • Foremost

  12. Demo Time • dd • Sleuth Kit and Autopsy • Foremost

  13. Incident Handling • Generalized and broad term • Incorrect? • Incident Handling (IH) is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner. • Incident Response (IR) is all of the technical components required in order to analyze and contain an incident. • https://isc.sans.edu/forums/diary/Incident+Response+vs+Incident+Handling/6205 • Rebuttal by Richard Bejtlich • tl;dr IH and IR are the same • https://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html

  14. Why Incident Handling is Important • Chaos • Barking up the wrong trees • Dead-end investigations • Hard to accumulate knowledge, experience • Legal issues • Cost overruns • Organization (i.e., do not know who to contact)

  15. Incident Handling vs Forensics • There are overlaps • Forensics: "finding and documenting the actions of a person or persons in relation to other people or places or activities. Must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.” [2] • Incident Handling: generally speaking, must be well versed with many facets of IT and information security.

  16. Incident Handling Phases • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned • Take SANS’ SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling https://www.sans.org/course/hacker-techniques-exploits- incident-handling • Read: https://www.sans.org/reading- room/whitepapers/incident/incident-handlers-handbook-33901

  17. For a Deeper Dive into Incident Handling • Take SANS’ SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling https://www.sans.org/course/hacker-techniques-exploits-incident-handling • Yours truly is an alumnus of the course back in 2007 • SANS GCIH certification https://www.giac.org/certification/certified-incident- handler-gcih • Read: https://www.sans.org/reading-room/whitepapers/incident/incident- handlers-handbook-33901

  18. Anti-Forensics (or countering against forensics) Full-disk wipe using DoD 5220.22-M • https://www.nispom.org/NISPOM_2006.pdf • Remove logs • Steganography • Encryption (full-disk, VeraCrypt, BitLocker for Windows, FileVault for macOS) • Put disk into BBQ or fire pit •

  19. Forensics 1. http://forensicswiki.org/wiki/Write_Blockers 2. http://exforensis.blogspot.com/2009/09/how-is-computer- forensics-different.html

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job => I avoid RE as much as

670 views • 15 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond Choo The role of digital forensics in incident handling Sources of digital evidence: Any computing devices capable of storing electronic

527 views • 16 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke Presentation Overview 1. Incident Response Lifecycle 2. Forensic Artifacts 1. DISK & RAM 3. Demo Incident Response Lifecycle 1.Preparation

575 views • 34 slides
Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

790 views • 63 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Linux Memory Analysis Workshop Session 1 Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide ranging forensics investigations Volatility Developer Former Blackhat, SOURCE, and DFRWS speaker

1.64k views • 162 slides
Patient 1 Zinc Phosphide 23 y/o male ingested rodent pellets: Zn 3 P 2 Awake but intubated

Patient 1 Zinc Phosphide 23 y/o male ingested rodent pellets: Zn 3 P 2 Awake but intubated

Patient 1 Zinc Phosphide 23 y/o male ingested rodent pellets: Zn 3 P 2 Awake but intubated for airway protection Using the Poison Center as a Lavage and WBI Hazmat Resource Rectal tube ICU bed Susan Smolinske MD, PharmD,

106 views • 8 slides
Public Health Law in Correctional Facilities Leila Barraza, JD, MPH Deputy Director, Network for

Public Health Law in Correctional Facilities Leila Barraza, JD, MPH Deputy Director, Network for

Public Health Law in Correctional Facilities Leila Barraza, JD, MPH Deputy Director, Network for Public Health Law- Western Region Veda Collmer, JD Visiting Attorney, Network for Public Health Law - Western Region Principles & Objectives

1.08k views • 54 slides
Emerging Drugs of Abuse Julie Kmiec, DO and Bill Morrone, DO, MS Disclosures Julie Kmiec, DO

Emerging Drugs of Abuse Julie Kmiec, DO and Bill Morrone, DO, MS Disclosures Julie Kmiec, DO

Emerging Drugs of Abuse Julie Kmiec, DO and Bill Morrone, DO, MS Disclosures Julie Kmiec, DO I have no financial conflicts of interest William Morrone, DO I have no financial conflicts of interest 2 Objectives At the end of

524 views • 40 slides
The INDEPTH Network www.indepth-network.org Please use the slides as you deem fit INDEPTH

The INDEPTH Network www.indepth-network.org Please use the slides as you deem fit INDEPTH

The INDEPTH Network www.indepth-network.org Please use the slides as you deem fit INDEPTH Governance Structure 2 Governance & M&E INDEPTH Board meetings o regular newsletters to the Board INDEPTH-Funder teleconferences; visits

528 views • 30 slides
Reporting Carbon Monoxide Poisoning Jon Meiman, MD Chief Medical Officer Jenny Camponeschi, MS

Reporting Carbon Monoxide Poisoning Jon Meiman, MD Chief Medical Officer Jenny Camponeschi, MS

Reporting Carbon Monoxide Poisoning Jon Meiman, MD Chief Medical Officer Jenny Camponeschi, MS Program Manager Wisconsin Environmental Public Health Tracking July 10, 2018 Wisconsin Department of Health Services Wisconsin Division of Health

682 views • 37 slides
Using Dashboards to Make Human Services Data Human ICPH Beyond Housing 2020 Session 2.12

Using Dashboards to Make Human Services Data Human ICPH Beyond Housing 2020 Session 2.12

Using Dashboards to Make Human Services Data Human ICPH Beyond Housing 2020 Session 2.12 Presented by: Lisa Kessler Courtney Lewis Data Analyst Transition Age Youth System Coordinator Allegheny County Department Allegheny County

646 views • 42 slides
Processing Dialogue-Based Data in the UIMA Framework Milan Gnjatovi , Manuela Kunze, Dietmar

Processing Dialogue-Based Data in the UIMA Framework Milan Gnjatovi , Manuela Kunze, Dietmar

Processing Dialogue-Based Data in the UIMA Framework Milan Gnjatovi , Manuela Kunze, Dietmar Rsner University of Magdeburg Overview Background Processing dialogue-based Data Conclusion Gnjatovi , Kunze, Rsner 2 Background

600 views • 21 slides
1 UNCLASSIFIED UNCLASSIFIED Military Mortuary Affairs Responsibilities In DoD, mortuary

1 UNCLASSIFIED UNCLASSIFIED Military Mortuary Affairs Responsibilities In DoD, mortuary

UNCLASSIFIED Agenda Defense Support of Civil Authorities for Mortuary Affairs NORAD-USNORTHCOM Quick Overview North American Aerospace Defense Command (NORAD) Military Mortuary Affairs Roles, Missions, Forces and United States

328 views • 5 slides

More recommend