forensics for the defense
DESCRIPTION
Forensic techniques are not just for law enforcement. You need to supplement your existing security package and provide evidence of due diligence in the event of an incident. Test your security before someone else does.TRANSCRIPT
Tom Kopchak
Forensics for the Defense (of your network)
•Who am I?
•Why am I here, and what got me here?
•Why I am passionate about computer security?
About the Presenter – Who am I?
You do "forensics"?!? That sounds awesome!!
The Truth• Evidence can be hard to come by
• Any and all evidence must be carefully accounted for and documented
• Cases involving movie-like circumstances are few and far between
Forensics = Valuable• Traditional - Law enforcement
• Emerging - Security
Traditional Forensics – Disks
Next Steps – Memory
Expanding the Scope
Leveraging Forensics for Business
Commonalities
Practical Applications
• Forensic Verification
• Forensic Penetration Testing
• Malware/Exploit/Breach Analysis
Practical Applications
A word of caution...• Permission!
Why Forensics?• Security is not a checkbox
• Simulate attack
• Identify shortcomings
Forensic Verification• Applications might store temporary/cached data
• PCI implications
Test Configuration• Control image
• Test Cases
• Analysis
Encrypted Laptop – Stolen!
It’s safe, right?
The Solution – Forensics Penetration Testing
Zero Knowledge vs. Authenticated Testing
The Real Test
Fully Encrypted – Administrator Confidence 100%
Starting the Attack
Machine Powered Off – Full Disk Images Created
Breakthrough
• Grace period for pre-boot authentication lockout
Mounting the attack
Downgrade memory – Leverage DMA – Exploit OS
Result: Full Admin Access to Entire System
Failure of Encryption?
• Encryption Did Not Fail!
• Convenience vs. Security
• Zero knowledge attack
Forensics for the Defense – One System at a Time
• System vulnerabilities unknown until tested
• Forensic Penetration testing = same purpose as traditional penetration test
• Learn and improve from mistakes
Conclusions• Forensic techniques are
not just for law enforcement
• Supplement your existing security package
• Provide evidence of due diligence in the event of an incident
• Test your security before someone else does
Wrap Up/QA