Digital Forensics & IR

You can run, but you can’t hide

Antonio Sanz

IT Systems & Security Manager

Expert witness

@antoniosanzalc

http://www.equipoazul.es

#SanPepeEINA

WTF DFIR bro?

Boring legal stuff

Forensic magic

Stand-up guy

Wanna more ?

There is a war out there

Cybercrime

Cyberespionage

Child pornography

Digital

Forensics

Incident

Response

IR : Respond to an incident

Digital forensics : Post-mortem

Locard’s exchange principle

This is not a pipe

This is not a pipe

It’s all about evidence, stupid !

No fancy 3D tools like CSI

Techniques, tools and procedures

People could go to prison

Identification

Adquisition

Preservation

Analysis

Dissemination

Digital forensics phases

Legal stuff here

and here

Tech yeah!

WTF DFIR bro?

Boring legal stuff

Forensic magic

Stand-up guy

Wanna more ?

Acquisition

Mobile devices

RAID, SAN, NAS, VM

Cloud storage

Game consoles,

ebooks, DVR …

Gotta catch ‘em all

Should I pull the plug ?

Use a cond …

A write blocker

Whole enchilada

Get the whole enchilada

Preservation

is king

31

Chain of custody

OBEY THE CHAIN

WTF DFIR bro?

Boring legal stuff

Forensic magic

Stand-up guy

Wanna more ?

Bad guys want to hide … but they

need to run

Remember Locard: Artifacts

Live forensics

Order

of

Volatility

Cold boot attacks

Preservation

is king

Standard forensics

Recover deleted data

Recover deleted data

How

filesystems

work

Good times, MAC times

Making history

Space / Time Analysis

47

Don’t delete your history. Or do it, it doesn’t matter

Prefetch

Dogs can’t prefetch

Your Instant

Messages

belong to us

Recycle bin are gold mines

52

Registry knows where your porn is

Every USB you plugged could be used against you

Where did you say you hide your crap?.

Event logs

Finding things in logs is like…

Too much … metadata

You’ve got an email

Share your downloads with us !

Smartphone / Tablets

Acquisition is complicated

Preservation

is king

Yummy extra info …

Yummy data breakfast

Virtual Machines

Take snapshots like there’s no tomorrow

Preservation

is king

Network forensics

How I Xplico to you dude ?

Preservation

is king

Cloud computing

There’s still traces

There are always traces left

WTF DFIR bro?

Boring legal stuff

Forensic magic

Stand-up guy

Wanna more ?

Cut to the chase

Know your trade

Know your enemy

Know your enemy

Use more than one tool

Missing things tell us a lot

Put two and two together

Always learn new tricks

50% Knowledge

30% Technique

15% Instincts

5% Luck

Writing the report > Introducción

> Resumen Ejecutivo

> Entorno del Informe (personas, lugares, fechas)

> Hechos probados iniciales (lo que sabemos)

> Hechos técnicos demostrables (lo que encontramos)

> Conclusiones

> Anexo: Evidencias

Write your report

Defending the report > Contrainforme pericial

> Exposición del informe en el juicio

> Validez del técnico

> Validez de las herramientas

> Preguntas de la otra parte

> Mantener la calma, responder lo justo y bien pensado

Defend your report

Ethics

Ethics

WTF DFIR bro?

Boring legal stuff

Forensic magic

Stand-up guy

Wanna more ?

Books

Blogs

Tools / LiveCDs

Certifications

Conclussions

We need DFIR Lots of it

Legal issues are critical

Many places to look

Have to know where, how & why

You can run

You can’t hide

If you’re guilty …

we’ll catch you

@antoniosanzalc

http://www.equipoazul.es

http://bit.ly/1h47zfF