Introduction to Security Forensics and Incident Handling
Twitter: @0xmchow
Topic Outcomes
Copyright By PowCoder代写 加微信 powcoder
• Acquire data (from a disk) using `dd`
• Analyze image of disk from `dd` using forensics tools including
Autopsy/Sleuth Kit , Foremost • Recover deleted files off a disk
Imagine you have been attacked, compromised, or is involved in a criminal incident. What’s the evidence? What happened? When? Who was involved?
What is Forensics?
• Preservation (of computer media) • Identification (of computer media) • Extraction (of computer media)
• Interpretation
• Documentation
The Process
• Assess the situation • Acquire data
• Analyze data
Law Enforcement: Before Accessing Situation, Obtain Search Warrant
Example of a Search Warrant
Example of a Search Warrant (continued)
Terminology
• Volatile data: RAM, processes
• Non-volatile data: Hard disks, USB drives
• Physical acquisition: Bit-by-bit copy of entire physical store
• Logical acquisition: Bit-by-bit copy of directories and files on a file system partition
• Write blockers: “Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands” [1]
• Chain-of-custody: Chronological documentation from “crade-to-grave” (i.e., warrant, seizure, custody, control, transfer, analysis, disposal)
• What could possibly go wrong if you don’t use a write blocker to acquire evidence, data?
• What are the pros and cons of physical vs logical acquisition? When would you want to use one over the other?
Forensics Tools
• md5/sha1/sha256/sha512 • dd
• stegdetect
• SleuthKitandAutopsy
• Foremost
• Sleuth Kit and Autopsy • Foremost
Incident Handling
• Generalized and broad term • Incorrect?
• Incident Handling (IH) is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.
• Incident Response (IR) is all of the technical components required in order to analyze and contain an incident.
• https://isc.sans.edu/forums/diary/Incident+Response+vs+Incident+Handling/6205
• Rebuttal by
• tl;dr IH and IR are the same
• https://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html
Why Incident Handling is Important
• Barkingupthewrongtrees
• Dead-endinvestigations
• Hardtoaccumulateknowledge,experience
• Legalissues
• Costoverruns
• Organization(i.e.,donotknowwhotocontact)
Incident Handling vs Forensics
• Thereareoverlaps
• Forensics:”findinganddocumentingtheactionsofapersonor persons in relation to other people or places or activities. Must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.” [2]
• IncidentHandling:generallyspeaking,mustbewellversedwith many facets of IT and information security.
Incident Handling Phases
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
• Take SANS’ SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling https://www.sans.org/course/hacker-techniques-exploits- incident-handling
• Read: https://www.sans.org/reading- room/whitepapers/incident/incident-handlers-handbook-33901
For a Deeper Dive into Incident Handling
• Take SANS’ SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling https://www.sans.org/course/hacker-techniques-exploits-incident-handling
• Yours truly is an alumnus of the course back in 2007
• SANS GCIH certification https://www.giac.org/certification/certified-incident-
handler-gcih
• Read: https://www.sans.org/reading-room/whitepapers/incident/incident- handlers-handbook-33901
Anti-Forensics (or countering against forensics)
• Full-disk wipe using DoD 5220.22-M
• https://www.nispom.org/NISPOM_2006.pdf
• Remove logs
• Steganography
• Encryption (full-disk, VeraCrypt, BitLocker for Windows, FileVault for macOS)
• Put disk into BBQ or fire pit
1. http://forensicswiki.org/wiki/Write_Blockers
2. http://exforensis.blogspot.com/2009/09/how-is-computer- forensics-different.html
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com