forensics for the defense

Tom Kopchak

Forensics for the Defense (of your network)

•Who am I?

•Why am I here, and what got me here?

•Why I am passionate about computer security?

About the Presenter – Who am I?

You do "forensics"?!? That sounds awesome!!

The Truth• Evidence can be hard to come by

• Any and all evidence must be carefully accounted for and documented

• Cases involving movie-like circumstances are few and far between

Forensics = Valuable• Traditional - Law enforcement

• Emerging - Security

Traditional Forensics – Disks

Next Steps – Memory

Expanding the Scope

Leveraging Forensics for Business

Commonalities

Practical Applications

• Forensic Verification

• Forensic Penetration Testing

• Malware/Exploit/Breach Analysis

Practical Applications

A word of caution...• Permission!

Why Forensics?• Security is not a checkbox

• Simulate attack

• Identify shortcomings

Forensic Verification• Applications might store temporary/cached data

• PCI implications

Test Configuration• Control image

• Test Cases

• Analysis

Encrypted Laptop – Stolen!

It’s safe, right?

The Solution – Forensics Penetration Testing

Zero Knowledge vs. Authenticated Testing

The Real Test

Fully Encrypted – Administrator Confidence 100%

Starting the Attack

Machine Powered Off – Full Disk Images Created

Breakthrough

• Grace period for pre-boot authentication lockout

Mounting the attack

Downgrade memory – Leverage DMA – Exploit OS

Result: Full Admin Access to Entire System

Failure of Encryption?

• Encryption Did Not Fail!

• Convenience vs. Security

• Zero knowledge attack

Forensics for the Defense – One System at a Time

• System vulnerabilities unknown until tested

• Forensic Penetration testing = same purpose as traditional penetration test

• Learn and improve from mistakes

Conclusions• Forensic techniques are

not just for law enforcement

• Supplement your existing security package

• Provide evidence of due diligence in the event of an incident

• Test your security before someone else does

Wrap Up/QA