Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Online DFS
1. Cyber Security Technologies
Presentation of the
OnLine Digital Forensic Suite™
Next-generation software for investigations
of live computers in networks . . .
OnLineDFS Introduction - Proprietary & Confidential - Page 1
2. Focus
OnLine Digital Forensic Suite™ is
a software product
for the real-time investigation
of live, running systems in networks
Product Heritage
Core technology developed with SBIR
funding from the US Air Force
Productized for commercial market
Patent pending
OnLineDFS Introduction - Proprietary & Confidential - Page 2
4. OnLineDFS™ Deployment
Corporate System Under Investigation
Multi-User Version Depicted Headquarters
Servers
Investigator
(Browser interface)
Corporate Manufacturing Locations
NOC (or other secure location) Network
OnLineDFS Application
Any Location: & Data Store
• Corporate
• Field Location
• Law Enforcement
• Service Provider
• Home Office, Hotel, etc.
Note: Browser interface and System Under Investigation
OnLineDFS™ application can Regional
co-reside Offices
wired/wireless/mobile
System Under Investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 4
5. OnLineDFS Today
Volatile State Data Memory Persistent data
29 sources of Acquisition Files, folders,
running state data directories,
Examination
captured from metadata, etc.
Windows targets, Search
Unallocated and
similar with Unix Registry
and Linux targets slack space
Walk
Acquisition Capture, search
Acquisition
Examination Image disk
Search
Most volatile Persistent
Summary of OnLineDFS Functionality
OnLineDFS Introduction - Proprietary & Confidential - Page 5
6. Key Attributes
Built for the examination of running systems
Collects information that is lost when computer is shut down
Strong emphasis on volatile data and live examination of persistent data for
rapid mitigation of risk
“Plug-and-play” deployment
OnLineDFS installed on network or subnet – no physical contact with target
system required
No pre-installed agents
Straightforward, simple architecture
Simple set-up and operation
Technology can be readily integrated with other technologies
Investigate from anywhere, to anywhere
Investigator can work where the application is, or remotely from anywhere
with Internet connectivity
Investigations performed though secure network connection
Wired/wireless/mobile targets OK
Discreet, non-disruptive:
Computer being analyzed is left in place
No end-user involvement needed
Investigative activity very difficult to detect
Stable, solid product
Release 3.6
Designed to adhere to forensic best practices
4
OnLineDFS Introduction - Proprietary & Confidential - Page 6
7. OnLineDFS Advantages
Designed for use in an enterprise environment
Built for on-line, real-time, networked world
Drill down live to hosts with issues of investigative interest
Proactive tool to address issues as they are happening
No pre-installed agents
Plug-and-play product based on simple architecture,
very easy to deploy, maintain and use
Discreet, unobtrusive, does not disrupt operations
Flexible analytical approach fits real world
Go where the data takes you, acquire what you need
Enhances investigation productivity and timeliness
Leverages investment in third-party tools
Adheres to forensic best practices
OnLineDFS Introduction - Proprietary & Confidential - Page 7
8. OnLineDFS Delivers
Law Enforcement An effective tool for investigations
in an enterprise environment
Enterprises A cost-effective tool to mitigate
risk, conduct investigations
effectively
Service Providers A tool to deliver outstanding
customer timeliness and value
OnLineDFS Introduction - Proprietary & Confidential - Page 8
13. Primary Data and Search
OnLineDFS Introduction - Proprietary & Confidential - Page 13
14. Demonstration Scenario
Network security has observed unusual traffic
on port 730 of host 192.168.171.202
You are authorized to investigate this host and
have the and administrative account and
password necessary to perform the
investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 14
44. Let’s Review the Investigation
Acquired volatile data from host A
Looked at port 730 details and found
WINWORD.exe
Acquired the WINWORD.exe file
Determined that it is a keylogger
Acquired memory and found the keylogger
program and credit card data
Referred back to the port 730 details and
identified the IP address and port of the host
connected to host A
OnLineDFS Introduction - Proprietary & Confidential - Page 44
45. Let’s Review the Investigation
With this information, initiated a second
investigation on host B
From the volatile data acquired, we identified
telnet as the process associated with port 1142
Acquired memory and found the exact same
credit card data as was found in the memory of
host A
Automatically generated detailed and
thorough documentation of the entire
investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 45