SlideShare uma empresa Scribd logo

encase enterprise

Transferir como PPTX, PDF
Damir Delija
Damir Delija
1 de 29
Computer Forensic and Incident Response or Why invest in a Digital Investigations Platform? Damir Delija Insig2
Presentation plan - Introduction into computer forensic and incident response • what it is • legal and organisational issues - EnCase approach • Arhitecture, tools, methods • approach forensic and incident response • How it is done
Computer Forensic – a Definition A practical definition: “Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal evidence (Judd Robbins).”
Legal Definition of Forensics - Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California). - There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence: • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subjected to peer review and publication; • What is the known or potential rate of error of the method used; • Whether the theory or method has been generally accepted by the scientific community.
Role of the EnCase suite - EnCase Suite - Guidance Software www.guidancesoftware.com - Central point in the system security, other usual security related tools are subordinates (feeds and actuators) - Act as standalone or as enterprise wide tool - It is supposed to react on incidents or to control system, both in same sound digital forensic way - Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable - Predefined roles, ranges, users and events - Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...
What are our threats? Others (Unknown) Regulatory compliance IP theft (eg. external consultants) Classified Disgruntled employees Data leakage Human error Competitors Client Fraud Virus outbreaks Inappropriate content Unauthorised software Deliberate attack (hackers)
Integrating Forensic into IR What is an incident to you? How do you respond? - Virus outbreak? - Manual processes? - Stolen laptop? - Take Computers off the - Inappropriate usage? network? - Suspend Employees? - Legal requirement for electronic data? - External investigative - Unauthorised software? consultancy? - Outsource data collection? - Inappropriate content? - Press release / PR? - Classified data appearing in the wrong environments? - Hope and Pray? - Data leakage? - Ignore? - IP theft? - Disgruntled employee?
Latest analytics (1) Who is behind data breaches? - 73% resulted from external sources - 18% were caused by insiders - 39% implicated business partners - 30% involved multiple parties How do breaches occur? - 62% were attributed to a significant error - 59% resulted from hacking and intrusions - 31% incorporated malicious code - 22% exploited a vulnerability - 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Latest analytics (2) What commonalities exist?  66% involved data the victim did not know was on the system  75% of breaches were not discovered by the victim  83% of attacks were not highly difficult  85% of breaches were the result of opportunistic attacks  87% were considered avoidable through reasonable controls Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
Latest analytics (3) Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
How do we deal with these threats today? Reactively  We manually investigate incidents, which is time consuming  We employ 3rd party consultancies to collect data for compliance  We quarantine computers from the network (disrupting operations)  We need multiple tools to investigate and solve problems  We have to wait for our AV vendor to supply signatures for new outbreaks Proactively  We cannot search the network for IP or other sensitive data  We cannot search for unauthorised software or malicious code  We cannot forensically remove data or malicious processes  We don‟t have time to investigate disgruntled employees  We can‟t identify potential risks comprehensively
How EnCase Enterprise and it’s modules link together Data Audit System Audit Investigative Intelligence EnCase Data Audit & EnCase Infocon Policy Enforcement Hardening HB Gary Responder Current EnCase eDiscovery Bit 9 EnCase Enterprise Platform (Examiner, SAFE, Snapshot, Connections, Pro Suite) EnCase Enterprise Command Centre API Future Document Security Intrusion Content Management Information Detection Management Management Systems Systems
Critical Requirements of IR Capabilities REACTIVE: Extreme End Point Visibility to answer hard Information Security questions at critical times…. Were we compromised or NOT ? Precision Response to attacks Remote & Immediate access to RAM and Raw Disk Level data Preserve requisite info for Optimal Decision Making Process “Freeze Crime Scene” Enterprise Collateral Damage Assessment Easily search for “intrusion footprint signatures” Search the Enterprise for critical information
Implement Incident Response infrastructure - Implement Encase Enterprise as a core • define additional funcionalities and plugins for Encase • trainig, testing, support, etc - Integrate it with other tools • IDS, IPS, network management, physical security, system administration, etc... • Help Desk system, trouble ticketing system - Develop lifecycle for effcient Incident Response System • policies, controls, reports, tests etc... • keep IR system proactive, healty and efficient
Anti-Forensics Anti-forensics is any and all actions taken by an unauthorized intruder to conceal evidence • securely deleting critical log files is considered an antiforensic technique. - discovered use of antiforensics in 39% cases - this will be a trend to watch over the next years Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
Incident Response Recommendations - Align process with policy - Achieve “essential” then worry about “excellent” - Secure business partner connections - Create a data retention plan - Control data with transaction zones - Monitor event logs - Create an incident response plan - Increase awareness - Engage in mock incident testing
IT security dependencies - IT security depends on core competencies: • People - skill and knowledge problem • Process - there are standards and best practices • Technologies - control of usage and fuctions - This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR
EnCase Enterprise “Core” Platform
EnCase Enterprise (EE) Platform Key capabilities   Covertly investigate across the network on live machines  Bit level analysis able to uncover deleted and hidden data  Also able to analyse volatile data in RAM  Sweep enterprise for hacker code like key loggers & root kits  Court validated as forensically sound  Role based access control and encrypted data flow Business benefits   Respond to HR/IT requests much faster  Conduct many more investigations with the same resource  Rules employees in or out of investigations covertly  Collects court validate evidence of wrong doing
Case Review I - Core EE HR Investigation – Specific Employee under suspicion for viewing inappropriate content on their office machine.  Specific Employee PC covertly previewed  Suspects directory structure is viewed and all images are found  A timeline analysis of when specific files/images were saved can be seen  Over 400 types of file formats can „natively‟ be viewed without having corresponding applications  All deleted but not overwritten files are pulled up for further evidence. Can be viewed though deleted  USB/external storage device analysis can be done. Check to see which files have been copied onto them.  USB ID can be used to find where else the USB device has been plugged into other machines on the network.
EnCase Incident Response Key capabilities  Can integrate directly with IDS and SIM solutions  Automatically collects volatile data at point of attack or infection  Threat can be killed immediately on target machine  Scan and kill threat across entire network very quickly Business benefits  Acts on intelligence provided by SIM  Guarantees collection of intelligence 24x7x365  Removes threat from entire estate without disrupting operations  Helps enhance defences by offering real actionable intelligence  Drives the true value out of IDS and SIM solutions  An effective way to counter “Day Zero” attacks !
Case Review II A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.  The SIM (netForensics) & other perimeter defence products throw up hi-priority alerts  Alert passed on to EnCase Enterprise  Automatic Snapshot of target machine retrieved (all processes running in RAM of target machine)  Your SIRT team analyse snapshot results to determine malicious processes  Process can be killed remotely and forensically wiped on target node  Malicious/Rogue process hashed and enterprise sweep carried out to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network
Kill Malicious Process – options Choice of deleting the process file, or deleting and wiping from hard drive
EnCase Data Audit & Compliance
EnCase Data Audit & Compliance Key capabilities  Automate the search for IP (eg. Video on Demand), source code, PII such as credit card numbers, financial statements, compliance data, Recharge card codes etc  by keyword, hash value, metadata, document type, within a date range, using GREP search expressions, across a defined node range  Move offending data to new location or wipe it completely  Completed on desktops, laptops and servers irrelevant of OS Business benefits  Protects valuable intellectual property  Reduces risk of credit card and customer data theft  Limits negative press by removing risks before they happen  Ensures swift compliance to regulator demands  Forms basis for refining /tightening company policies /processes.
Case Review III – protecting confidential info Minimise the risk of leakage by sweeping the network for a known highly “Confidential” strategy document.  The confidential document is hashed to get its unique signature.  An enterprise “sweep” is quickly done for this hash value. Whilst keyword can be done, using the hash is much faster.  Results are found. Further investigation done on those machines to see where the document was emailed.  This is done by analysing the local PST mail file. Search for attachments with the same hash value. The main body content of the mail can also then be easily seen.  Remediation (forensically deleting) the classified data can also be done, if necessary.
EnCase Infocon Hardening Key capabilities  Perform network wide system integrity checking  baseline servers, workstations and laptops  perform scheduled and automated audits to look for threats from malicious and risky applications of any kind without having to wait for signatures from antivirus vendors and other assessment tools  Identify undocumented and unauthorized configuration changes to systems  Automate the auditing and reporting of systems across time to identify installed software, new devices, and changes to users Business benefits  Ensures contraband, such as illegal software, is not on the network  Ensures key system assets have not been compromised by external hackers  Identifies suspicious employee behaviour, such as trying to hide data
Case Review IV – System Audit for a key Enterprise Server Enterprise server (eg. Online mobile payments application ) is audited whilst live to check for potential compromise /threats  A “gold build” – ie all known good running processes is created for that server. This hash set forms baseline.  At a later point in time, an audit is done for same machine or other servers that should be identical.  Infocon hardening quickly compares the baseline with results from the snapshot of running processes. Any processes not in std. baseline are highlighted.  Based on further investigation and validation, the offending processes can be remotely “killed” and wiped if necessary.
On investigation, undesired processes can be killed remotely to restore baseline Choice of deleting the process file, or deleting and wiping from hard drive

Recomendados

Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...Edureka!
 

Recomendados

Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...
What is Ethical Hacking? | Ethical Hacking for Beginners | Ethical Hacking Co...Edureka!
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...North Texas Chapter of the ISSA
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
OSINT
OSINTOSINT
OSINTApurv Singh Gautam
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINTAdam Compton
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabSyed Ubaid Ali Jafri
 
Business Email Compromise Scam
Business Email Compromise ScamBusiness Email Compromise Scam
Business Email Compromise ScamGuardian Analytics
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)festival ICT 2016
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 

Mais conteúdo relacionado

Mais procurados

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...North Texas Chapter of the ISSA
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINTAdam Compton
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabSyed Ubaid Ali Jafri
 
Business Email Compromise Scam
Business Email Compromise ScamBusiness Email Compromise Scam
Business Email Compromise ScamGuardian Analytics
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)festival ICT 2016
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 

Mais procurados (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
OSINT
OSINTOSINT
OSINT
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINT
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Cia security model
Cia security modelCia security model
Cia security model
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
 
Business Email Compromise Scam
Business Email Compromise ScamBusiness Email Compromise Scam
Business Email Compromise Scam
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 

Destaque

EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1Damir Delija
 
IBM Endpoint Manager for Software Use Analysis (Overview)
IBM Endpoint Manager for Software Use Analysis (Overview)IBM Endpoint Manager for Software Use Analysis (Overview)
IBM Endpoint Manager for Software Use Analysis (Overview)Kimber Spradlin
 
Using Encase for Digital Investigations
Using Encase for Digital InvestigationsUsing Encase for Digital Investigations
Using Encase for Digital InvestigationsDFLABS SRL
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 

Destaque (19)

EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
 
IBM Endpoint Manager for Software Use Analysis (Overview)
IBM Endpoint Manager for Software Use Analysis (Overview)IBM Endpoint Manager for Software Use Analysis (Overview)
IBM Endpoint Manager for Software Use Analysis (Overview)
 
EnScript Workshop
EnScript WorkshopEnScript Workshop
EnScript Workshop
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Using Encase for Digital Investigations
Using Encase for Digital InvestigationsUsing Encase for Digital Investigations
Using Encase for Digital Investigations
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
Ftk 1.80 manual
Ftk 1.80 manualFtk 1.80 manual
Ftk 1.80 manual
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 

Semelhante a encase enterprise

Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 

Semelhante a encase enterprise (20)

Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Regan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&akRegan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&ak
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 

Mais de Damir Delija

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...Damir Delija
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Damir Delija
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Damir Delija
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Damir Delija
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Damir Delija
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsDamir Delija
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Damir Delija
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload managerDamir Delija
 
2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza 2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza Damir Delija
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokaziDamir Delija
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaDamir Delija
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Damir Delija
 
Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...Damir Delija
 

Mais de Damir Delija (20)

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
 
Ibm aix wlm idea
Ibm aix wlm ideaIbm aix wlm idea
Ibm aix wlm idea
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload manager
 
2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza 2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavima
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...
 
Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...
 

encase enterprise

  • 1. Computer Forensic and Incident Response or Why invest in a Digital Investigations Platform? Damir Delija Insig2
  • 2. Presentation plan - Introduction into computer forensic and incident response • what it is • legal and organisational issues - EnCase approach • Arhitecture, tools, methods • approach forensic and incident response • How it is done
  • 3. Computer Forensic – a Definition A practical definition: “Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal evidence (Judd Robbins).”
  • 4. Legal Definition of Forensics - Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California). - There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence: • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subjected to peer review and publication; • What is the known or potential rate of error of the method used; • Whether the theory or method has been generally accepted by the scientific community.
  • 5. Role of the EnCase suite - EnCase Suite - Guidance Software www.guidancesoftware.com - Central point in the system security, other usual security related tools are subordinates (feeds and actuators) - Act as standalone or as enterprise wide tool - It is supposed to react on incidents or to control system, both in same sound digital forensic way - Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable - Predefined roles, ranges, users and events - Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...
  • 6. What are our threats? Others (Unknown) Regulatory compliance IP theft (eg. external consultants) Classified Disgruntled employees Data leakage Human error Competitors Client Fraud Virus outbreaks Inappropriate content Unauthorised software Deliberate attack (hackers)
  • 7. Integrating Forensic into IR What is an incident to you? How do you respond? - Virus outbreak? - Manual processes? - Stolen laptop? - Take Computers off the - Inappropriate usage? network? - Suspend Employees? - Legal requirement for electronic data? - External investigative - Unauthorised software? consultancy? - Outsource data collection? - Inappropriate content? - Press release / PR? - Classified data appearing in the wrong environments? - Hope and Pray? - Data leakage? - Ignore? - IP theft? - Disgruntled employee?
  • 8. Latest analytics (1) Who is behind data breaches? - 73% resulted from external sources - 18% were caused by insiders - 39% implicated business partners - 30% involved multiple parties How do breaches occur? - 62% were attributed to a significant error - 59% resulted from hacking and intrusions - 31% incorporated malicious code - 22% exploited a vulnerability - 15% were due to physical threats Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 9. Latest analytics (2) What commonalities exist?  66% involved data the victim did not know was on the system  75% of breaches were not discovered by the victim  83% of attacks were not highly difficult  85% of breaches were the result of opportunistic attacks  87% were considered avoidable through reasonable controls Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008
  • 10. Latest analytics (3) Nine out of 10 data breaches incidents involved one of the following: • A system unknown to the organization (or business group affected) • A system storing data that the organization did not know existed on that system • A system that had unknown network connections or accessibility • A system that had unknown accounts or privileges Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
  • 11. How do we deal with these threats today? Reactively  We manually investigate incidents, which is time consuming  We employ 3rd party consultancies to collect data for compliance  We quarantine computers from the network (disrupting operations)  We need multiple tools to investigate and solve problems  We have to wait for our AV vendor to supply signatures for new outbreaks Proactively  We cannot search the network for IP or other sensitive data  We cannot search for unauthorised software or malicious code  We cannot forensically remove data or malicious processes  We don‟t have time to investigate disgruntled employees  We can‟t identify potential risks comprehensively
  • 12. How EnCase Enterprise and it’s modules link together Data Audit System Audit Investigative Intelligence EnCase Data Audit & EnCase Infocon Policy Enforcement Hardening HB Gary Responder Current EnCase eDiscovery Bit 9 EnCase Enterprise Platform (Examiner, SAFE, Snapshot, Connections, Pro Suite) EnCase Enterprise Command Centre API Future Document Security Intrusion Content Management Information Detection Management Management Systems Systems
  • 13. Critical Requirements of IR Capabilities REACTIVE: Extreme End Point Visibility to answer hard Information Security questions at critical times…. Were we compromised or NOT ? Precision Response to attacks Remote & Immediate access to RAM and Raw Disk Level data Preserve requisite info for Optimal Decision Making Process “Freeze Crime Scene” Enterprise Collateral Damage Assessment Easily search for “intrusion footprint signatures” Search the Enterprise for critical information
  • 14. Implement Incident Response infrastructure - Implement Encase Enterprise as a core • define additional funcionalities and plugins for Encase • trainig, testing, support, etc - Integrate it with other tools • IDS, IPS, network management, physical security, system administration, etc... • Help Desk system, trouble ticketing system - Develop lifecycle for effcient Incident Response System • policies, controls, reports, tests etc... • keep IR system proactive, healty and efficient
  • 15. Anti-Forensics Anti-forensics is any and all actions taken by an unauthorized intruder to conceal evidence • securely deleting critical log files is considered an antiforensic technique. - discovered use of antiforensics in 39% cases - this will be a trend to watch over the next years Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM
  • 16. Incident Response Recommendations - Align process with policy - Achieve “essential” then worry about “excellent” - Secure business partner connections - Create a data retention plan - Control data with transaction zones - Monitor event logs - Create an incident response plan - Increase awareness - Engage in mock incident testing
  • 17. IT security dependencies - IT security depends on core competencies: • People - skill and knowledge problem • Process - there are standards and best practices • Technologies - control of usage and fuctions - This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR
  • 19. EnCase Enterprise (EE) Platform Key capabilities   Covertly investigate across the network on live machines  Bit level analysis able to uncover deleted and hidden data  Also able to analyse volatile data in RAM  Sweep enterprise for hacker code like key loggers & root kits  Court validated as forensically sound  Role based access control and encrypted data flow Business benefits   Respond to HR/IT requests much faster  Conduct many more investigations with the same resource  Rules employees in or out of investigations covertly  Collects court validate evidence of wrong doing
  • 20. Case Review I - Core EE HR Investigation – Specific Employee under suspicion for viewing inappropriate content on their office machine.  Specific Employee PC covertly previewed  Suspects directory structure is viewed and all images are found  A timeline analysis of when specific files/images were saved can be seen  Over 400 types of file formats can „natively‟ be viewed without having corresponding applications  All deleted but not overwritten files are pulled up for further evidence. Can be viewed though deleted  USB/external storage device analysis can be done. Check to see which files have been copied onto them.  USB ID can be used to find where else the USB device has been plugged into other machines on the network.
  • 21. EnCase Incident Response Key capabilities  Can integrate directly with IDS and SIM solutions  Automatically collects volatile data at point of attack or infection  Threat can be killed immediately on target machine  Scan and kill threat across entire network very quickly Business benefits  Acts on intelligence provided by SIM  Guarantees collection of intelligence 24x7x365  Removes threat from entire estate without disrupting operations  Helps enhance defences by offering real actionable intelligence  Drives the true value out of IDS and SIM solutions  An effective way to counter “Day Zero” attacks !
  • 22. Case Review II A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.  The SIM (netForensics) & other perimeter defence products throw up hi-priority alerts  Alert passed on to EnCase Enterprise  Automatic Snapshot of target machine retrieved (all processes running in RAM of target machine)  Your SIRT team analyse snapshot results to determine malicious processes  Process can be killed remotely and forensically wiped on target node  Malicious/Rogue process hashed and enterprise sweep carried out to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network
  • 23. Kill Malicious Process – options Choice of deleting the process file, or deleting and wiping from hard drive
  • 24. EnCase Data Audit & Compliance
  • 25. EnCase Data Audit & Compliance Key capabilities  Automate the search for IP (eg. Video on Demand), source code, PII such as credit card numbers, financial statements, compliance data, Recharge card codes etc  by keyword, hash value, metadata, document type, within a date range, using GREP search expressions, across a defined node range  Move offending data to new location or wipe it completely  Completed on desktops, laptops and servers irrelevant of OS Business benefits  Protects valuable intellectual property  Reduces risk of credit card and customer data theft  Limits negative press by removing risks before they happen  Ensures swift compliance to regulator demands  Forms basis for refining /tightening company policies /processes.
  • 26. Case Review III – protecting confidential info Minimise the risk of leakage by sweeping the network for a known highly “Confidential” strategy document.  The confidential document is hashed to get its unique signature.  An enterprise “sweep” is quickly done for this hash value. Whilst keyword can be done, using the hash is much faster.  Results are found. Further investigation done on those machines to see where the document was emailed.  This is done by analysing the local PST mail file. Search for attachments with the same hash value. The main body content of the mail can also then be easily seen.  Remediation (forensically deleting) the classified data can also be done, if necessary.
  • 27. EnCase Infocon Hardening Key capabilities  Perform network wide system integrity checking  baseline servers, workstations and laptops  perform scheduled and automated audits to look for threats from malicious and risky applications of any kind without having to wait for signatures from antivirus vendors and other assessment tools  Identify undocumented and unauthorized configuration changes to systems  Automate the auditing and reporting of systems across time to identify installed software, new devices, and changes to users Business benefits  Ensures contraband, such as illegal software, is not on the network  Ensures key system assets have not been compromised by external hackers  Identifies suspicious employee behaviour, such as trying to hide data
  • 28. Case Review IV – System Audit for a key Enterprise Server Enterprise server (eg. Online mobile payments application ) is audited whilst live to check for potential compromise /threats  A “gold build” – ie all known good running processes is created for that server. This hash set forms baseline.  At a later point in time, an audit is done for same machine or other servers that should be identical.  Infocon hardening quickly compares the baseline with results from the snapshot of running processes. Any processes not in std. baseline are highlighted.  Based on further investigation and validation, the offending processes can be remotely “killed” and wiped if necessary.
  • 29. On investigation, undesired processes can be killed remotely to restore baseline Choice of deleting the process file, or deleting and wiping from hard drive