proactive n reactive forensics
TRANSCRIPT
-
8/7/2019 Proactive n Reactive Forensics
1/13
11
Proactive & ReactiveProactive & ReactiveForensicsForensics
Jess Garca
Forensics,Forensics, AntiforensicsAntiforensics & Automation& Automation
Security Instructor The SANS Insti tuteConsultant Jessland Enterprise Security Services
http:/ /www.jessland.net
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 2
Agenda Agenda
IR & ForensicsIR & Forensics Antiforensics AntiforensicsForensics Readin essForensics Readiness
Autom ated Forensics Autom ated Forensics
-
8/7/2019 Proactive n Reactive Forensics
2/13
22
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 3
Digital Forensics Digital Forensics
What is Digital Forensics?What is Digital Forensics? Incident response Computer Forensic Investigations Forensic preparedness Secure Data Recovery
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 4
Incident Response Incident Response
PreparationPreparationIdentificationIdentificationContainmentContainmentEradicationEradicationRecoveryRecoveryFollowFollow--upup
The 6The 6 --Step IR ProcessStep IR Process
-
8/7/2019 Proactive n Reactive Forensics
3/13
33
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 5
The ForensicsThe Forensics Process Process
Seizure
Preliminary Analysis
Investigation
Analysis
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 6
Evidence Evidence
Evidence Types:Evidence Types: Human Testimony Physical Evidence Network Evidence Host Evidence
MemoryNetwork ConnectionsProcessesOpen PortsDisksFilesystemsExternal Devices
-
8/7/2019 Proactive n Reactive Forensics
4/13
44
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 7
Real Life Problems Real Life Problems
Lack of trainingLack of trainingPoor EvidencePoor EvidenceTime consuming processTime consuming processLack of logging & tracking capabilitiesLack of logging & tracking capabilities
Lack of containment capabilitiesLack of containment capabilitiesLack of appropriate Forensics environmentLack of appropriate Forensics environment
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 8
Antiforensics Antiforensics
PerspectivesPerspectives Unintentional
Quality of evidence deteriorates quicklyThe Human Factor
The User The Investigator
Malicious
Antiforensics Antiforensics is the art of reducing theis the art of reducing theQuantity and Quality of Forensics DataQuantity and Quality of Forensics Data
-
8/7/2019 Proactive n Reactive Forensics
5/13
55
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 9
Antiforensics Antiforensics
Forensics Analysts IssuesForensics Analysts Issues Short on time Short on Technical Skills Slave to their Tools
Tools IssuesTools Issues Filesystems Restrictions and Bugs
VulnerabilitiesData IssuesData Issues Encryption Propietary Formats
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 10
Antiforensics Antiforensics
StrategiesStrategies Data Destruction or Manipulation
Data itself Meta-data
Data Hiding
Inserting Data where it does not belong Data Contraception
In memory ExecutionSmall Footprint tools
-
8/7/2019 Proactive n Reactive Forensics
6/13
6 6
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 11
Forensics Readiness Forensics Readiness
Forensics Readiness is the art of Forensics Readiness is the art of Maximizing an Environments Ability to CollectMaximizing an Environments Ability to Collect
Credible Digital EvidenceCredible Digital Evidence
No system or network is secure enoughNo system or network is secure enough
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 12
Forensics Readiness Forensics ReadinessPreparing IR Capabilities
Building your IR CapabilitiesBuilding your IR Capabilities The Lab
Isolated Network Isolated SystemsForensics ServersDisk Servers
Short and Long Term Secure Storage The Jump Bag
Blank MediaDisk DuplicatorsNetworking Gear !!!
The ToolsForensics Software Processes
-
8/7/2019 Proactive n Reactive Forensics
7/13
7 7
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 13
Forensics Readiness Forensics ReadinessPreparing the IR Team
The IR TeamThe IR Team Processes
Crime Scene ProceduresChain of CustodyLegalities
Forensics Tools TrainingCommercial Tools
Free ToolsOperating Systems & ApplicationsHardware and Physical Devices
Real-Life Cases TrainingHoneynetsHoneynet Projects SoftmReto Forense RedIRIS / UNAM
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 14
VA / Forensics/
FW Manager
Workstations
Servers
External Services
ID Network
IDSManagement& Analysis
Log Server / SEM
Honeynet
Forensics Readiness Forensics ReadinessPreparing Systems & Networks
Traffic Capturing Devices
Rotation time >= Response time
-
8/7/2019 Proactive n Reactive Forensics
8/13
88
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 15
Preparing Systems & Networks:Preparing Systems & Networks: Use Turn on & Maximize logging capabilities Enable Remote Logging Enable Kernel & Filesystem Accounting Good Practices for Filesystems Separation Host-based Firewalls
NIDS & HIDS Profiling Periodical Auditing Forensics-friendly Filesystems Analysis of the Impact of Forensics Tools
Forensics Readiness Forensics ReadinessPreparing Systems & Networks
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 16
Forensics Readiness Forensics ReadinessPreparing for Containment
The Network The Network Good Practices for Network Design Choke Points
The SystemsThe Systems Host-based Firewalls
The PeopleThe People Restricted Investigative Team
-
8/7/2019 Proactive n Reactive Forensics
9/13
99
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 17
The Forensics ProcessThe Forensics Process(Revisited)(Revisited)
Seizure
Preliminary Analysis
Investigation
Analysis
VERY Time consuming VERY Time consuming
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 18
Forensics Response Forensics Response
What Type of IR/Forensics do you want/need?What Type of IR/Forensics do you want/need?What type of incidents do you expect?
TraditionalSlow
ManualMore accurate (if doneproperly)More Forensically SoundOlder evidence
ReactiveFasterManual / AutomatedRisk of False Positives /NegativesLess Forensically Sound (?)Fresher evidence
-
8/7/2019 Proactive n Reactive Forensics
10/13
1010
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 19
Automated Response Automated Response
1. Identify Attack 1. Identify Attack
2. Trigger Automated Incident Response2. Trigger Automated Incident Response
3. Verify Incident3. Verify Incident
4. Trigger Automated Forensics Collection4. Trigger Automated Forensics Collection
5. Pre5. Pre --analyze dataanalyze data
6. Trigger alert6. Trigger alert
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 20
Automated Forensics Automated Forensics
What is automated forensics?What is automated forensics? Automate the most typical steps of the Forensics
Analysis
Perspectives:Perspectives: Automated Forensics Tools
Automated Forensics Process Live Forensics:
IDS / IPS ToolProcedural Tool
Dead Forensics
-
8/7/2019 Proactive n Reactive Forensics
11/13
1111
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 21
Automated Forensics Automated Forensics
Objectives:Objectives: Help identify actual intrusions Collect more evidence Collect better evidence Reduce Analysis Time Forensically Sound
Help stop attack Helps with difficult to handle scenarios:
EncryptionStrange hardware (e.g. RAID arrays)
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 22
Automated Forensics Automated Forensics
The Process:The Process: Automated IR Analysis
MemoryNetwork ConnectionsProcessesOpen PortsDisksFilesystemsExternal Devices
Automated Disk & Filesystem Seizure Automated Memory Seizure Automated Integrity/Rootkit Checks
-
8/7/2019 Proactive n Reactive Forensics
12/13
1212
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 23
Automated Forensics Automated Forensics
The Process:The Process: Automated Profiling and Auditing Automated Traffic Analysis Automated Filesystem Analysis
MactimesDeleted Files IdentificationData Recovery
Artifacts Recovery
Automated Memory AnalysisProcesses Recovery
Artifacts Recovery
Automated Artifacts Analysis
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 24
Risks & Limitations of Risks & Limitations of Automated Forensics Automated Forensics
BenefitsBenefits Fast
Possibility of Early DetectionIf nothing else, better than no response
Earlier Evidence Optimizes Analysis Time Allows for more In-Depth Analysis
Requirements:Requirements: Preserve Evidence
Avoid using local binaries and libraries: push staticallycompiled binariesIn memory execution (ftrans, userland exec)
-
8/7/2019 Proactive n Reactive Forensics
13/13
1313
Proactive & Reactive Forensics Copyright 2005, Jess Garca http:// www.jessland.net 25
Risks & Limitations of Risks & Limitations of Automated Forensics Automated Forensics
Risks & LimitationsRisks & Limitations False Sense of Security Assimetry:
Positive Results -> Probable break-inNegative results do not mean unsuccessful break-in
False Positives & False Negatives
May not stand in Court