SlideShare uma empresa Scribd logo

6 Scope & 7 Live Data Collection

Sam Bowne
Sam Bowne

For a college course in incident response More info: https://samsclass.info/152/152_F22.shtml

Educação
1 de 118
Baixar para ler offline
CNIT 152: Incident Response 6. Discovering the Scope of the Incident Updated 9-15-22
Establishing the Scope
Examining Initial Data • Look at original aler t • You may notice more than the person who reported it di d • Ask about other detection systems and review what they recorde d • Network administrators may not think like investigator s • Gather context for the detection event
Preliminary Evidence • Determine what sources of preliminary evidence may hel p • Decide which sources you will actually us e • Collect and review the evidenc e • Identify sources that are easy to analyze, and that quickly provide initial answers
Example: Malware
Independent Sources • Firewall logs don't depend on registry keys, etc . • Multiple independent evidence sources lead to more reliable conclusion s • It's dif fi cult for an attacker to remove or modify evidence from all source s • Less likely that a routine process would overwrite or discard all evidenc e • Cross-check information, like date and time
Review • Attacker may be causing more damag e • Test a detection method on one system, or a small date range of log entrie s • Make sure your detection method is fast and effective
Determining a Course of Action
Determining a Course of Action
Scenario1: Data Loss
Data Loss Scenario • Large online retaile r • You work in IT security departmen t • Customers are complaining about spam after becoming a new customer
Finding Something Concrete • Anecdotal customer complaints are inconclusiv e • Option s • Work with customers and review their emai l • Reliability and privacy problem s • Create fake customer accounts with unique email addresses
Fake Accounts • Use 64-character random username s • Unlikely that spammers would guess the username s • Monitor those accounts
Preliminary Evidence • Assuming customer data is being lost someho w • Find where customer data is and how it is manage d • One internal database on production serve r • One external database at a third-party marketing fi rm
Interview Results
Interview Results
Progress
Theories & Simple Tests • Inside r • No easy way to tes t • Modi fi ed code on website to capture email addresse s • Enter some fake accounts directly into database, bypassing the web for m • Someone copying backup tape s • Add some fake accounts to the backups
Three Sets of Fake Accounts 1. Made through the web for m 2. Entered directly into the database, bypassing the web for m 3. Added only to the backups
Two Weeks Later • Spam comes to the fi rst set of fake account s • And to the accounts manually entered into the databas e • Suggests the website is not part of the proble m • No spam to the accounts on the backup tap e • Backups aren't the source of data loss
New Theories • Direct access to the databas e • Malware on the database serve r • Accessing it over the network
Monitoring Queries • Network-level packet capture s • Expensive, powerful system require d • If queries are encrypted, or malware is obfuscating them, it may be hard to decode the traf fi c • Database-level query monitoring and loggin g • Most ef fi cient and reliable technique
Next Steps • Create a few more fake account s • Talk to database and application administrator s • To fi nd out where data is store d • Scan through logs to see what is "normal " • No queries or stored procedures perform a bulk export of email addresses on a daily basis
Two Weeks Later • New accounts get spa m • Retrieve query logs from time accounts created to spam tim e • For the fi eld "custemail " • A single query is foun d • SELECT custemail FROM custpro fi le WHERE signupdate >= "2014-02-16"
Query Details • Feb 17, 2014 at 11:42 am GM T • Originated from IP in graphics arts dept . • Query used an database administrator's username from the IT dept . • Interview reveals that graphics arts dept. has no direct interaction with customers, only outside vendors
Leads
Action: Graphics Arts Desktop
Action: Database Server
Results from Workstation • Examine images, focusing on actions at the time of the quer y • Malware found on workstatio n • Persistent, provides remote shell, remote graphical interface, ability to launch and terminate processe s • Connects to a foreign I P • Has been installed for two year s • Cannot determine how system was originally compromised
Final Steps of Investigation
Scoping Gone Wrong • After complaints from customer s • Search every computer in the company for unique strings in the customer data , • And fi les large enough to include all the customer records
Problems • No evidence that the stolen data is stored on company server s • No evidence that the data is all being stolen at once in a large fi l e • And even so, it would probably be compresse d • Large amount of effort; low chance of success
Another Unwise Path • Focus on insider s • Who had access and knowledge to steal the customer dat a • Compile pro fi les of numerous employee s • Review personnel fi le s • Background checks, surveillance software capturing keystrokes and screen image s • Video surveillance installed
Problems • Leads to a "witch hunt " • Invades privacy of employee s • Large effort, small chance of success
Another Unwise Path • Because the data resides on the database serve r • Image and analyze RAM from the database server to hunt for malwar e • Because the hard drives are massive and too large to investigate easily
Problems • Once again, they have jumped to a conclusio n • And ignored other possibilitie s • Large effort, low chance of success
Scenario 2: Automated Clearing House Fraud
Funds Transfer • Bank called the CEO--they blocked an ACH transfer of $183,642.7 3 • To an account that was never used befor e • Flagged by their fraud prevention syste m • Transfer from CFO's account, but he says he never authorized it
Facts from the Bank
Preliminary Evidence • Firewal l • Two weeks of log s • Examine this fi rs t • Should you examine CFO's laptop computer ? • Live response, RAM, hard driv e • But maybe other computers are involved
Firewall Logs • Look near the time the unauthorized transfer occurred (4:37 pm ) • See who logged in prior to tha t • Two computers logged in via HTTPS, making a number of connections between 4:10 pm and 4:48 p m • From two IPs -- one is CFO's, other not immediately recognized
Two Immediate Tasks • Gather complete forensic evidence from CFO's compute r • Live response, RAM, and hard dis k • Because evidence is being lost as time passe s • Track down the other IP address and decide what action is appropriate
DHCP Logs • Search for the time in questio n • Get MAC address from DHCP log s • It's the MAC of the CFO's laptop (wireless card ) • So there's only one computer involved
Interview the CFO
Recap
Theories
Open Of fi ce Space • CFO's of fi ce is in clear view of other worker s • It's unlikely that someone could go into it unobserved
CFO's Computer • Recently installed persistent executabl e • Send it to a third-party analysis sit e • It's a variant of the Zeus banking malware
Final Steps of Investigation
Scoping Gone Wrong • There are no recent antivirus or IDS alert s • So you believe the security issue must be at the ban k • Tell the bank to fi nd the attacker and put them in jail
Problems • No attempt to validate the bank's original dat a • Company assumes that existing network security measures would detect a problem, if there was on e • Assumption that a third-party can help yo u • While you wait, data on company systems is lost
Another Unwise Path • CEO believes that security measures are in place to prevent malware, so the CFO must have initiated the transfe r • The CEO wants you to investigate the CFO and avoid tipping him (or her) off
Problem • No security measures are perfect, not even two- factor authenticatio n • Also, that sort of investigation is outside your expertise, and should be referred to an outside contractor
Ch 6
CNIT 152: Incident Response 7. Live Data Collection
Purpose of Live Collection • Preserve volatile evidence that will further the investigatio n • Also collect log fi les and fi le listing s • Get answers quickl y • Minimize changes to the syste m • Avoid disrupting business, causing crashes, or destroying evidence
When to Perform Live Response
Risks of Live Response
Altering the Evidence • All live response changes the system • Purists don't like i t • But the alternative is to lose all volatile data and get only a disk imag e • You can minimize changes, but not eliminate them
Selecting a Live Response Tool • Homegrown Microsoft DOS batch script (or bash ) • Perl-based scrip t • There are specialized live-response products, free and commercial
Velociraptor • Our main live response tool
Factors to Consider • Is the tool generally accepted in the forensic community ? • Does the solution address the common operating systems in your environment ? • Tools that use OS commands should contain known good copies of those commands, not trust the local commands on the suspect system
Factors to Consider • Does the solution collect data that is important to have, in your environment ? • How long does a collection take ? • Recommended: less than an hour per syste m • Is the system con fi gurable ? • Is the output easily reviewed and understood?
What to Collect • Current running state of the syste m • Network connection s • Running Processe s • What happened in the pas t • File listings, system log s • Usually a higher priority
The Deep End • Some organizations always collect entire RAM contents, or hard disk image s • Don't collect data that you can't effectively use or understan d • Collect data you can really use to quickly determine the impact of the incident
Data to Collect
Data to Collect
Data to Collect
Complete RAM Capture • Requires specialized tools to collect and interpre t • Not part of Live Respons e • Sometimes needed on carefully chosen systems
Collection Best Practices • Practice on a test system fi rs t • Learn how fast the process is, and how large the output i s • Practice handling problem s • Broken USB port or NI C • Locked screen
Caution: Malware • The system you are examining may be infected with malwar e • Any media you connect may become infecte d • Any credentials you use may be compromised
Recommended Procedure
• From 2018 • Link Ch 7f • https://www.researchgate.net/publication/ 328859673_Comparison_of_Acquisition_Software _for_Digital_Forensics_Purposes
Popular Tools
RAM Usage
DLLs and Registry Keys
Results
Recommended Procedure
Recommended Procedure
Horror Stories: IR Procedures • Copy live response toolkit to affected systems, save collected data back to that same system including full RAM dump, several gigabytes in siz e • Remotely log in with domain administrator account, run netstat & Task Manage r • Pull out the plug, image the hard drive
Good Methods of Live Response • Network share on a dedicated fi le serve r • Not part of any domai n • Used throwaway credentials not used for any other purpos e • Two folder s • Read-only containing the live response toolki t • Writeable for output from live response toolkit
Live Response Process
Live Response Tips • Air-gap for evidence serve r • Logging and auditing access to evidence serve r • Automate process for consistenc y • Live Response software must run as Local Administrator/root
Media • Some computers cannot connect external medi a • Hardware failure, con fi guration, etc . • Common options for running toolki t • CD-ROM, DVD, network shar e • Encrypted network streaming tool like cryptcat or stunnel to send output to another system
Unexpected OS • Cannot run your normal live response toolki t • If you can't update or modify your toolkit to ru n • Perform manual live response
Unexpected OS • Create a checklist of the automated steps in the toolkit for a similar O S • Research command-line option s • Test them on a known clean system, if possibl e • Manually perform steps to collect evidence
Automation • Decreases human erro r • Makes processes more consistent and faste r • Helps to prevent bad guys from gathering intelligence about how you respond to incident s • Anything you do on the evidence system may be sent to the bad guys
Ch 7a
Live Data Collection on Microsoft Windows Systems
Three Main Options • Use a prebuilt kit • Like Mandiant Redline or Velocirapto r • Create your ow n • Use a hybrid of the two
Mandiant Redline • Install the Redline MSI package on a trusted workstatio n • Create the Redline collector on the trusted syste m • The only step you take on a suspect system is to run the stand-alone Redline collector batch scrip t • Automatically saves data to the same location you ran the script from
Do It Yourself • Make your own live response toolki t • Decide what OS to suppor t • Windows has many versions, and big differences between 32-bit and 64-bi t • Find tools that collect the information you want
Windows Built-in Tools • Copy these fi les from a clean Windows syste m • Also copy cmd.ex e • "Trusted binaries " • Don't trust fi les on the evidence machine
Free Tools • Use command-line versions, not GUI version s • Easier to scrip t • Less impac t • Rename every tool so you can identify it as something you added to the syste m • Prepend "t_"
Other Data Items • Prefetch informatio n • System restore point informatio n • Browser history, and mor e • Balance your needs with the impact the collection has on the system
Scripting Language • Choose on e • MS-DOS Batch (lowest impact ) • PowerShel l • VBScrip t • Per l • Python
Scripting Tips • Add logging and compute a checksum of collected dat a • Be careful with fi le and directory name s • They may be long or include space s • Test your script extensively • Built a test environment that resembles your production system s • Watch for errors and unexpected results
Memory Collection • Tools for a full memory dum p • AccessData FTK Imager Lit e • Mandiant Memoryz e • Monsools Windows Memory Toolki t • Belkasoft RAM Capturer
Mandiant Memoryze • Command-line tool: MemoryDD.bat
AccessData FTK Imager Lite
Individual Process RAM Dump • Tool s • Mandiant Memoryz e • Microsoft userdum p • Microsoft procdum p • Ntsecurity.nu pmdump
TeamViewer Credentials
Live Data Collection on Unix-Based Systems
LINReS • From Network Intelligence Indi a • Written for RedHat 3 and 4, not updated since 200 6 • Useful mainly as an example to guide you in making a custom tool
Do It Yourself • Really the only optio n • Make some script s • Mandiant uses Bourne shell scripts that make scripts for various Unix/Linux version s • Requires constant maintenance
Language Choices • Per l • Pytho n • Bourne shel l • BASH (Mandiant uses this ) • others
Apple Systems • system_pro fi le r • Very long list of software, hardware, logs, etc.
system_pro fi ler
system_pro fi ler
Built-in Unix Tools
Built-in Unix Tools
Built-in Unix Tools
Memory Collection • The memory device is handled differently in every version of Unix, BSD, and Linu x • In earlier versions, you could just use dd to collect RAM through the /dev/mem devic e • Direct access to memory is now blocked for security reason s • Use LiME – Linux Memory Extractor (link Ch 7c)
Loadable Kernel Modules • LiME is an LK M • Must be compiled for the exact kernel version running on the target syste m • No ability to include checksums of the outpu t • You must do that yourself
Collection from BSD-Based Kernels • Use dc3dd or dc fl dd to capture contents of 
 /dev/me m • They are like dd but also include checksum s • In recent versions, there's no End Of File mark in /dev/mem, so you must manually specify how many bytes to capture
Collection from Apple OS X • Memoryze for Mac (link Ch 7d ) • Mac Memory Reader seems to be gone
Individual Process Dump • "gcore" (part of gdb, the GNU debugger)
Ch 7b

Recomendados

CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 

Recomendados

CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
4 Getting Started & 5 Leads
4 Getting Started & 5 Leads4 Getting Started & 5 Leads
4 Getting Started & 5 LeadsSam Bowne
 
CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationSam Bowne
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsJyothishmathi Institute of Technology and Science Karimnagar
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 

Mais conteúdo relacionado

Mais procurados

CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
4 Getting Started & 5 Leads
4 Getting Started & 5 Leads4 Getting Started & 5 Leads
4 Getting Started & 5 LeadsSam Bowne
 
CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationSam Bowne
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 

Mais procurados (20)

CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
4 Getting Started & 5 Leads
4 Getting Started & 5 Leads4 Getting Started & 5 Leads
4 Getting Started & 5 Leads
 
CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic Duplication
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 

Semelhante a 6 Scope & 7 Live Data Collection

CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologySam Bowne
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
An Introduction To Software Development - Testing, Continuous integration
An Introduction To Software Development - Testing, Continuous integrationAn Introduction To Software Development - Testing, Continuous integration
An Introduction To Software Development - Testing, Continuous integrationBlue Elephant Consulting
 
ICONUK 2016: Back From the Dead: How Bad Code Kills a Good Server
ICONUK 2016: Back From the Dead: How Bad Code Kills a Good ServerICONUK 2016: Back From the Dead: How Bad Code Kills a Good Server
ICONUK 2016: Back From the Dead: How Bad Code Kills a Good ServerSerdar Basegmez
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)Olesya Shelestova
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
NNT Business Solutions - NNTServe Overview
NNT Business Solutions - NNTServe OverviewNNT Business Solutions - NNTServe Overview
NNT Business Solutions - NNTServe OverviewNNT Solutions
 
Employee Turnover And Computer Forensic Analysis Best Practices
Employee Turnover And Computer Forensic Analysis Best PracticesEmployee Turnover And Computer Forensic Analysis Best Practices
Employee Turnover And Computer Forensic Analysis Best Practicesscardecourcier
 
Penetration testing experience at the University of Worcester
Penetration testing experience at the University of WorcesterPenetration testing experience at the University of Worcester
Penetration testing experience at the University of WorcesterJisc
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Securing sharepoint
Securing sharepointSecuring sharepoint
Securing sharepointPeter_1020
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 

Semelhante a 6 Scope & 7 Live Data Collection (20)

CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
An Introduction To Software Development - Testing, Continuous integration
An Introduction To Software Development - Testing, Continuous integrationAn Introduction To Software Development - Testing, Continuous integration
An Introduction To Software Development - Testing, Continuous integration
 
ICONUK 2016: Back From the Dead: How Bad Code Kills a Good Server
ICONUK 2016: Back From the Dead: How Bad Code Kills a Good ServerICONUK 2016: Back From the Dead: How Bad Code Kills a Good Server
ICONUK 2016: Back From the Dead: How Bad Code Kills a Good Server
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
NNT Business Solutions - NNTServe Overview
NNT Business Solutions - NNTServe OverviewNNT Business Solutions - NNTServe Overview
NNT Business Solutions - NNTServe Overview
 
Employee Turnover And Computer Forensic Analysis Best Practices
Employee Turnover And Computer Forensic Analysis Best PracticesEmployee Turnover And Computer Forensic Analysis Best Practices
Employee Turnover And Computer Forensic Analysis Best Practices
 
Penetration testing experience at the University of Worcester
Penetration testing experience at the University of WorcesterPenetration testing experience at the University of Worcester
Penetration testing experience at the University of Worcester
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Securing sharepoint
Securing sharepointSecuring sharepoint
Securing sharepoint
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 

Mais de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 

Mais de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 

Último

FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 

Último (20)

FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 

6 Scope & 7 Live Data Collection

  • 1. CNIT 152: Incident Response 6. Discovering the Scope of the Incident Updated 9-15-22
  • 3. Examining Initial Data • Look at original aler t • You may notice more than the person who reported it di d • Ask about other detection systems and review what they recorde d • Network administrators may not think like investigator s • Gather context for the detection event
  • 4. Preliminary Evidence • Determine what sources of preliminary evidence may hel p • Decide which sources you will actually us e • Collect and review the evidenc e • Identify sources that are easy to analyze, and that quickly provide initial answers
  • 6. Independent Sources • Firewall logs don't depend on registry keys, etc . • Multiple independent evidence sources lead to more reliable conclusion s • It's dif fi cult for an attacker to remove or modify evidence from all source s • Less likely that a routine process would overwrite or discard all evidenc e • Cross-check information, like date and time
  • 7. Review • Attacker may be causing more damag e • Test a detection method on one system, or a small date range of log entrie s • Make sure your detection method is fast and effective
  • 11. Data Loss Scenario • Large online retaile r • You work in IT security departmen t • Customers are complaining about spam after becoming a new customer
  • 12. Finding Something Concrete • Anecdotal customer complaints are inconclusiv e • Option s • Work with customers and review their emai l • Reliability and privacy problem s • Create fake customer accounts with unique email addresses
  • 13. Fake Accounts • Use 64-character random username s • Unlikely that spammers would guess the username s • Monitor those accounts
  • 14. Preliminary Evidence • Assuming customer data is being lost someho w • Find where customer data is and how it is manage d • One internal database on production serve r • One external database at a third-party marketing fi rm
  • 18. Theories & Simple Tests • Inside r • No easy way to tes t • Modi fi ed code on website to capture email addresse s • Enter some fake accounts directly into database, bypassing the web for m • Someone copying backup tape s • Add some fake accounts to the backups
  • 19. Three Sets of Fake Accounts 1. Made through the web for m 2. Entered directly into the database, bypassing the web for m 3. Added only to the backups
  • 20. Two Weeks Later • Spam comes to the fi rst set of fake account s • And to the accounts manually entered into the databas e • Suggests the website is not part of the proble m • No spam to the accounts on the backup tap e • Backups aren't the source of data loss
  • 21. New Theories • Direct access to the databas e • Malware on the database serve r • Accessing it over the network
  • 22. Monitoring Queries • Network-level packet capture s • Expensive, powerful system require d • If queries are encrypted, or malware is obfuscating them, it may be hard to decode the traf fi c • Database-level query monitoring and loggin g • Most ef fi cient and reliable technique
  • 23. Next Steps • Create a few more fake account s • Talk to database and application administrator s • To fi nd out where data is store d • Scan through logs to see what is "normal " • No queries or stored procedures perform a bulk export of email addresses on a daily basis
  • 24. Two Weeks Later • New accounts get spa m • Retrieve query logs from time accounts created to spam tim e • For the fi eld "custemail " • A single query is foun d • SELECT custemail FROM custpro fi le WHERE signupdate >= "2014-02-16"
  • 25. Query Details • Feb 17, 2014 at 11:42 am GM T • Originated from IP in graphics arts dept . • Query used an database administrator's username from the IT dept . • Interview reveals that graphics arts dept. has no direct interaction with customers, only outside vendors
  • 26. Leads
  • 29. Results from Workstation • Examine images, focusing on actions at the time of the quer y • Malware found on workstatio n • Persistent, provides remote shell, remote graphical interface, ability to launch and terminate processe s • Connects to a foreign I P • Has been installed for two year s • Cannot determine how system was originally compromised
  • 30. Final Steps of Investigation
  • 31. Scoping Gone Wrong • After complaints from customer s • Search every computer in the company for unique strings in the customer data , • And fi les large enough to include all the customer records
  • 32. Problems • No evidence that the stolen data is stored on company server s • No evidence that the data is all being stolen at once in a large fi l e • And even so, it would probably be compresse d • Large amount of effort; low chance of success
  • 33. Another Unwise Path • Focus on insider s • Who had access and knowledge to steal the customer dat a • Compile pro fi les of numerous employee s • Review personnel fi le s • Background checks, surveillance software capturing keystrokes and screen image s • Video surveillance installed
  • 34. Problems • Leads to a "witch hunt " • Invades privacy of employee s • Large effort, small chance of success
  • 35. Another Unwise Path • Because the data resides on the database serve r • Image and analyze RAM from the database server to hunt for malwar e • Because the hard drives are massive and too large to investigate easily
  • 36. Problems • Once again, they have jumped to a conclusio n • And ignored other possibilitie s • Large effort, low chance of success
  • 38. Funds Transfer • Bank called the CEO--they blocked an ACH transfer of $183,642.7 3 • To an account that was never used befor e • Flagged by their fraud prevention syste m • Transfer from CFO's account, but he says he never authorized it
  • 40. Preliminary Evidence • Firewal l • Two weeks of log s • Examine this fi rs t • Should you examine CFO's laptop computer ? • Live response, RAM, hard driv e • But maybe other computers are involved
  • 41. Firewall Logs • Look near the time the unauthorized transfer occurred (4:37 pm ) • See who logged in prior to tha t • Two computers logged in via HTTPS, making a number of connections between 4:10 pm and 4:48 p m • From two IPs -- one is CFO's, other not immediately recognized
  • 42. Two Immediate Tasks • Gather complete forensic evidence from CFO's compute r • Live response, RAM, and hard dis k • Because evidence is being lost as time passe s • Track down the other IP address and decide what action is appropriate
  • 43. DHCP Logs • Search for the time in questio n • Get MAC address from DHCP log s • It's the MAC of the CFO's laptop (wireless card ) • So there's only one computer involved
  • 45. Recap
  • 47. Open Of fi ce Space • CFO's of fi ce is in clear view of other worker s • It's unlikely that someone could go into it unobserved
  • 48. CFO's Computer • Recently installed persistent executabl e • Send it to a third-party analysis sit e • It's a variant of the Zeus banking malware
  • 49. Final Steps of Investigation
  • 50. Scoping Gone Wrong • There are no recent antivirus or IDS alert s • So you believe the security issue must be at the ban k • Tell the bank to fi nd the attacker and put them in jail
  • 51. Problems • No attempt to validate the bank's original dat a • Company assumes that existing network security measures would detect a problem, if there was on e • Assumption that a third-party can help yo u • While you wait, data on company systems is lost
  • 52. Another Unwise Path • CEO believes that security measures are in place to prevent malware, so the CFO must have initiated the transfe r • The CEO wants you to investigate the CFO and avoid tipping him (or her) off
  • 53. Problem • No security measures are perfect, not even two- factor authenticatio n • Also, that sort of investigation is outside your expertise, and should be referred to an outside contractor
  • 54. Ch 6
  • 56. Purpose of Live Collection • Preserve volatile evidence that will further the investigatio n • Also collect log fi les and fi le listing s • Get answers quickl y • Minimize changes to the syste m • Avoid disrupting business, causing crashes, or destroying evidence
  • 57. When to Perform Live Response
  • 58. Risks of Live Response
  • 59. Altering the Evidence • All live response changes the system • Purists don't like i t • But the alternative is to lose all volatile data and get only a disk imag e • You can minimize changes, but not eliminate them
  • 60. Selecting a Live Response Tool • Homegrown Microsoft DOS batch script (or bash ) • Perl-based scrip t • There are specialized live-response products, free and commercial
  • 61. Velociraptor • Our main live response tool
  • 62. Factors to Consider • Is the tool generally accepted in the forensic community ? • Does the solution address the common operating systems in your environment ? • Tools that use OS commands should contain known good copies of those commands, not trust the local commands on the suspect system
  • 63. Factors to Consider • Does the solution collect data that is important to have, in your environment ? • How long does a collection take ? • Recommended: less than an hour per syste m • Is the system con fi gurable ? • Is the output easily reviewed and understood?
  • 64. What to Collect • Current running state of the syste m • Network connection s • Running Processe s • What happened in the pas t • File listings, system log s • Usually a higher priority
  • 65. The Deep End • Some organizations always collect entire RAM contents, or hard disk image s • Don't collect data that you can't effectively use or understan d • Collect data you can really use to quickly determine the impact of the incident
  • 69. Complete RAM Capture • Requires specialized tools to collect and interpre t • Not part of Live Respons e • Sometimes needed on carefully chosen systems
  • 70. Collection Best Practices • Practice on a test system fi rs t • Learn how fast the process is, and how large the output i s • Practice handling problem s • Broken USB port or NI C • Locked screen
  • 71. Caution: Malware • The system you are examining may be infected with malwar e • Any media you connect may become infecte d • Any credentials you use may be compromised
  • 73. • From 2018 • Link Ch 7f • https://www.researchgate.net/publication/ 328859673_Comparison_of_Acquisition_Software _for_Digital_Forensics_Purposes
  • 80. Horror Stories: IR Procedures • Copy live response toolkit to affected systems, save collected data back to that same system including full RAM dump, several gigabytes in siz e • Remotely log in with domain administrator account, run netstat & Task Manage r • Pull out the plug, image the hard drive
  • 81. Good Methods of Live Response • Network share on a dedicated fi le serve r • Not part of any domai n • Used throwaway credentials not used for any other purpos e • Two folder s • Read-only containing the live response toolki t • Writeable for output from live response toolkit
  • 83. Live Response Tips • Air-gap for evidence serve r • Logging and auditing access to evidence serve r • Automate process for consistenc y • Live Response software must run as Local Administrator/root
  • 84. Media • Some computers cannot connect external medi a • Hardware failure, con fi guration, etc . • Common options for running toolki t • CD-ROM, DVD, network shar e • Encrypted network streaming tool like cryptcat or stunnel to send output to another system
  • 85. Unexpected OS • Cannot run your normal live response toolki t • If you can't update or modify your toolkit to ru n • Perform manual live response
  • 86. Unexpected OS • Create a checklist of the automated steps in the toolkit for a similar O S • Research command-line option s • Test them on a known clean system, if possibl e • Manually perform steps to collect evidence
  • 87. Automation • Decreases human erro r • Makes processes more consistent and faste r • Helps to prevent bad guys from gathering intelligence about how you respond to incident s • Anything you do on the evidence system may be sent to the bad guys
  • 88. Ch 7a
  • 89. Live Data Collection on Microsoft Windows Systems
  • 90. Three Main Options • Use a prebuilt kit • Like Mandiant Redline or Velocirapto r • Create your ow n • Use a hybrid of the two
  • 91. Mandiant Redline • Install the Redline MSI package on a trusted workstatio n • Create the Redline collector on the trusted syste m • The only step you take on a suspect system is to run the stand-alone Redline collector batch scrip t • Automatically saves data to the same location you ran the script from
  • 92. Do It Yourself • Make your own live response toolki t • Decide what OS to suppor t • Windows has many versions, and big differences between 32-bit and 64-bi t • Find tools that collect the information you want
  • 93. Windows Built-in Tools • Copy these fi les from a clean Windows syste m • Also copy cmd.ex e • "Trusted binaries " • Don't trust fi les on the evidence machine
  • 94. Free Tools • Use command-line versions, not GUI version s • Easier to scrip t • Less impac t • Rename every tool so you can identify it as something you added to the syste m • Prepend "t_"
  • 95. Other Data Items • Prefetch informatio n • System restore point informatio n • Browser history, and mor e • Balance your needs with the impact the collection has on the system
  • 96. Scripting Language • Choose on e • MS-DOS Batch (lowest impact ) • PowerShel l • VBScrip t • Per l • Python
  • 97. Scripting Tips • Add logging and compute a checksum of collected dat a • Be careful with fi le and directory name s • They may be long or include space s • Test your script extensively • Built a test environment that resembles your production system s • Watch for errors and unexpected results
  • 98. Memory Collection • Tools for a full memory dum p • AccessData FTK Imager Lit e • Mandiant Memoryz e • Monsools Windows Memory Toolki t • Belkasoft RAM Capturer
  • 101. Individual Process RAM Dump • Tool s • Mandiant Memoryz e • Microsoft userdum p • Microsoft procdum p • Ntsecurity.nu pmdump
  • 103. Live Data Collection on Unix-Based Systems
  • 104. LINReS • From Network Intelligence Indi a • Written for RedHat 3 and 4, not updated since 200 6 • Useful mainly as an example to guide you in making a custom tool
  • 105. Do It Yourself • Really the only optio n • Make some script s • Mandiant uses Bourne shell scripts that make scripts for various Unix/Linux version s • Requires constant maintenance
  • 106. Language Choices • Per l • Pytho n • Bourne shel l • BASH (Mandiant uses this ) • others
  • 107. Apple Systems • system_pro fi le r • Very long list of software, hardware, logs, etc.
  • 113. Memory Collection • The memory device is handled differently in every version of Unix, BSD, and Linu x • In earlier versions, you could just use dd to collect RAM through the /dev/mem devic e • Direct access to memory is now blocked for security reason s • Use LiME – Linux Memory Extractor (link Ch 7c)
  • 114. Loadable Kernel Modules • LiME is an LK M • Must be compiled for the exact kernel version running on the target syste m • No ability to include checksums of the outpu t • You must do that yourself
  • 115. Collection from BSD-Based Kernels • Use dc3dd or dc fl dd to capture contents of 
 /dev/me m • They are like dd but also include checksum s • In recent versions, there's no End Of File mark in /dev/mem, so you must manually specify how many bytes to capture
  • 116. Collection from Apple OS X • Memoryze for Mac (link Ch 7d ) • Mac Memory Reader seems to be gone
  • 117. Individual Process Dump • "gcore" (part of gdb, the GNU debugger)
  • 118. Ch 7b