O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

BSidesTO - Incident Response for Cheapskates

362 visualizações

Publicada em

My talk for BSides Toronto 2013 outlining the cost effective ways to conduct incident rest and digital forensics in the real world.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

BSidesTO - Incident Response for Cheapskates

  1. 1. Incident ResponseIncident Response for Cheapskatesfor Cheapskates Lee BrotherstonLee Brotherston
  2. 2. Let's define anLet's define an IncidentIncident
  3. 3. Where can weWhere can we Improve?Improve?
  4. 4. HijackHijack Integrate withIntegrate with ExistingExisting processesprocesses
  5. 5. Roles &Roles & ResponsibilitiesResponsibilities
  6. 6. Determine theDetermine the RulesRules of engagementof engagement
  7. 7. LeverageLeverage existingexisting toolstools
  8. 8. Relationships andRelationships and PoliticsPolitics
  9. 9. SIEM'lessSIEM'less IntelligenceIntelligence
  10. 10. Live systemLive system ForensicsForensics
  11. 11. SniperSniper ForensicsForensics
  12. 12. Memory Analysis withMemory Analysis with VolatilityVolatility
  13. 13. The Sleuth Kit +The Sleuth Kit + AutopsyAutopsy
  14. 14. But... Encase & hardwareBut... Encase & hardware WriteWrite Blocker?Blocker?
  15. 15. Oxford SemiconductorOxford Semiconductor OXUF922 Bridge ChipOXUF922 Bridge Chip Oxford SemiconductorOxford Semiconductor OXUF922 Bridge ChipOXUF922 Bridge Chip AgereAgere FW801FW801 AgereAgere FW801FW801 FlashFlash SSTSST 39VF10039VF100 FlashFlash SSTSST 39VF10039VF100 RAMRAM IDTIDT 71V016SA71V016SA RAMRAM IDTIDT 71V016SA71V016SA FirewireFirewireFirewireFirewire USBUSBUSBUSB IDEIDEIDEIDE Write Blocker DiagramWrite Blocker Diagram
  16. 16. ArmArm ProcessorProcessor OXUF922 Bridge ChipOXUF922 Bridge Chip DMADMA 1394 / USB /1394 / USB / UART / IDE /UART / IDE / SerialSerial QueueQueue ManagerManager RAMRAM ControlControl
  17. 17. Hardware Write BlockersHardware Write Blockers Run Software!Run Software! Attribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahon
  18. 18. Taking an image withTaking an image with dc3dd / dddc3dd / dd
  19. 19. # parted /mnt/usbdsk/target0_img.dd# parted /mnt/usbdsk/target0_img.dd GNU Parted 2.3GNU Parted 2.3 Using /mnt/usbdsk/target0_img.ddUsing /mnt/usbdsk/target0_img.dd Welcome to GNU Parted! Type 'help' to view a list of commands.Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit(parted) unit Unit? [compact]? BUnit? [compact]? B (parted) print(parted) print Model: (file)Model: (file) Disk /mnt/usbdsk/target0_img.dd: 500107862016BDisk /mnt/usbdsk/target0_img.dd: 500107862016B Sector size (logical/physical): 512B/512BSector size (logical/physical): 512B/512B Partition Table: msdosPartition Table: msdos Number Start End Size Type FileNumber Start End Size Type File 1 1048576B 210763775B 209715200B primary ntfs1 1048576B 210763775B 209715200B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs2 210763776B 107586662399B 107375898624B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs3 107586662400B 479341645311B 371754982912B primary ntfs 4 479341645312B 500103450111B 20761804800B primary diag4 479341645312B 500103450111B 20761804800B primary diag (parted) quit(parted) quit # mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/ # ls /mnt/image/# ls /mnt/image/ pagefile.sys Program Files System Volumepagefile.sys Program Files System Volume Information Documents and Settings PerfLogsInformation Documents and Settings PerfLogs Program Files (x86) Recovery UsersProgram Files (x86) Recovery Users ProgramData $Recycle.BinProgramData $Recycle.Bin WindowsWindows
  20. 20. What about virtualisedWhat about virtualised Environments?Environments?
  21. 21. Free Forensics ToolsFree Forensics Tools vs Encasevs Encase
  22. 22. Data & File AnalysisData & File Analysis ToolsTools
  23. 23. For starters tryFor starters try C.A.IN.EC.A.IN.E (Linux LiveCD)(Linux LiveCD)
  24. 24. RemediationRemediation Cleanup/Shutdown/ProsecuteCleanup/Shutdown/Prosecute
  25. 25. Lessons Learned. Let'sLessons Learned. Let's Market!Market!
  26. 26. Thank youThank you Any Questions?Any Questions? Lee Brotherston -Lee Brotherston - @leEb_public -@leEb_public - lee@nerds.org.uklee@nerds.org.ukLee Brotherston -Lee Brotherston - @leEb_public -@leEb_public - lee@nerds.org.uklee@nerds.org.uk
  27. 27. Some Things I MentionedSome Things I Mentioned ● Flow-tools:Flow-tools: http://www.splintered.net/sw/flow-http://www.splintered.net/sw/flow- tools/tools/ ● Sleuthkit & Autopsy:Sleuthkit & Autopsy: http://www.sleuthkit.org/http://www.sleuthkit.org/ ● Volatility:Volatility: https://www.volatilesystems.com/defaulthttps://www.volatilesystems.com/default /volatility/volatility ● C.A.IN.E:C.A.IN.E: http://www.caine-live.net/http://www.caine-live.net/ ● Dc3dd:Dc3dd: http://sourceforge.net/projects/dc3dd/http://sourceforge.net/projects/dc3dd/

×