SlideShare une entreprise Scribd logo

Vest Forensics presentation owasp benelux days 2012 leuven

Télécharger en tant que PPTX, PDF
Marc Hullegie
Marc Hullegie
Technologie
1  sur  44
Digital inVESTigations Forensics and Audit Trails
About Me Marc Hullegie Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you. Kees Mastwijk Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.
TALK OUTLINE Basics Principles Audit Trails Timeline Analysis Challenges BIG Data Solid State Drives Cloud Computing Changing forensic landscape Trends Triage Visualization And then What ?
INVESTIGATION BASICS Why will people commit fraud / crime /’misbehavior’ / …. Fraud Triangle: • Opportunity – One has to be able to commit fraud • Motive – There is a ‘drive’ to commit fraud • Rationalization – Actions will be justified
INVESTIGATION BASICS Understanding of the Fraud Triangle can be helpful for: • Formulating the investigation charter • Creating scenarios • Applicable for fraud & forensic investigations and securitytesting
TYPES OF DIGITAL INVESTIGATIONS (due to the nature of the fraud / crime ..) • Against computersystems, e.g hacking, spam, • Where computersystems are used to commit fraud, stalking, harrassment
CHARACTERISTICS OF GOOD EVIDENCE • Intact/integer • Relevant • Reproducable
KNOW YOUR STUFF ! REQUIRED SKILLS AND KNOWLEDGE - Technical skills Understand what kind of evidence you are looking for, & - Investigative skills Being able to understand the value of the evidence in the case and translate highly technical findings to easy to understand report, being able to spot abnormalities - While maintaining the ‘chain of custody’
BASICS Basic steps in a digital forensic investigation • Preparation • Acquisition of Evidence • Duplication • Extraction • Analysis • Reporting
PREPARATION • Investigation Charter • Determine the scope and preconditions of the investigation • Determine potential locations of relevant evidence by means of type of investigation: - Network - Data carriers like hard disk drives, smartphones, USB drives etc - Memory - Etc.. Etc.. • Expectation Management / (Communication) • Create investigation Log (and maintain during the proces)
ACQUISITION & PRESERVATION • NEVER conduct an investigation on original material • Acquire potential evidence following forensically sound procedures, tools and hardware • Use write-protected hardware and software that ensures the integrity of the copy • Duplicate the acquired evidence files to a secured back-up location • Note System config settings, especially time related
EXTRACTION • Compound files (Zip/rar/certain e-mail archives) may need to be extracted in order to be able to search the files. • Transform data into usable investigation objects • Disk images contain potential ‘hidden’ evidence in file slack, unallocated clusters etc
UNALLOCATED CLUSTERS
CARVING UNALLOCATED CLUSTERS
ANALYSIS • Select tooling to conduct analysis • Many tools available, specific for each type of investigation • Cross check and verify your findings. Do not rely on the results of one tool • Keep in mind the questions to be answered in the investigation or you will get lost
REPORTING • Translate findings into a readable report • Be transparent in describing your investigative process • Answer the ‘W’ and ‘H’ questions: Who did What, When, Where, When, Why and How • Do not jump to conclusions! Be aware of tunnel visioning
CHALLENGES IN DIGITAL FORENSICS • BIG data changes the way investigations will be conducted • Diversity of equipment used in today’s communications • Solid State Disks (SSD) reduces the likelihood of retrieving good evidence (if deleted previously) • Unclear where your data is: e.g. Cloud Computing changes potential source locations • Virtual Desktop Infrastructures • Compliancy rules limiting access to public records
TRENDS IN DIGITAL FORENSICS – TRIAGE • Screening of potential evidence instead of creating a full disk image first, to efficiently and cost effective conduct digital investigations. Average storage in a system has increased substantially.
TRENDS IN DIGITAL FORENSICS – TRIAGE - CONT Previewing and searching potential evidence saves a lot of time and storage. If a triaged systems contain sources of evidence, create a full disk image.
TRENDS IN DIGITAL FORENSICS – VISUALIZATION • Visualize BIG data to correlate events, relationships, systems. • Profiling applications
AUDIT TRAILS In a digital forensic context: ‘Chronological presentation of actions and events extracted from user or system generated information’
SYSTEM GENERATED EVIDENCE Users have little understanding and awareness of presence of this kind of evidence! Some examples • NTUSER.DAT • Webserver logs • Index.dat files • Printspooler logs • E-mail headers • Registry files • Temp/tmp folders • Etc..
USER CREATED EVIDENCE Some examples: • Pictures • (Open) Office documents • Internet history • Chat services • E-mails
OTHER POTENTIAL EVIDENCE Call registers Attendance registers Surveillance video’s Etc.. Note: Mind regulations for privacy, proportionality and subsidiarity
AUDIT TRAILS COMBINED Combining system generated, user generated along with additional information creates a complete audit trail Interrelate and correlate, minding proper synchronization and unique identifiers (don’t assume) (user williamsj does not have to be John Williams)
FORENSIC READINESS • Be prepared for incidents, they WILL happen • Compliancy • Prevention • Early Warnings • Limit “damage” • Reduction of investigation cost/time • Effectiveness in sanction (HR/Legal/IT)
CASE ‘Did speaker participate in OWASP Belenux 2012 conference’
CASE – CONT Potential evidence: • Laptop speaker • Network/server logs • Smartphone • Call registers
CASE – CONT Hard disk evidence • Keyword search • System file analysis
CASE – CONT Hits • Unallocated clusters (system generated)
CASE – CONT Hits • Pagefile (System generated)
CASE – CONT Hits • NTUSER.DAT
CASE – CONT Hits • Network data – firewall logs
CASE – CONT Hits • E-mailmessages • Message tracking logs • Etc etc
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Webserver : Logs • Application server/ Middleware: Logs • Database server: Logs, system tables, memory • Do not limit logfiles: verbose, and no overwrites
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Applications: What have YOU instructed the application to log / record ?
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • The application “Knows and Sees” a lot ! • CAPTURE THAT DATA: • Facilitate detailed logging for the purpose of audit trails: Who - e.g. Useraccount What - (sequence of) Activity When - Date/time stamps Where - IP-address, geo info, endpoint characteristics How - Application navigation behavior As much and detailed as possible ! Look across bridges, as far as you can see to both ends.
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Where ? – (Additional) Log files – (system) Event log – Database ! • Mind: – Location and size – Access, Authorization … – Performance • Forensic principals to be included in your design !
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS – CONT • Add monitoring, triggering mechanisms to your (forensic) logging to enhance the traceability with early warning and even prevention advantages. • It might also support your regular system debugging ;-)
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Non-repudiation: Perform security tests so that fraudulent people cannot dispute their acts and the operation of your application. (They will tell your application environment sucks!) Proof they’re wrong !
HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS - CONT • And don’t forget the traditional forensic sources: • Not only application logs contain relevant information • Consider logs of servers, network peripherals, workstations, syslogs
CONCLUSION • All activity as shown on screen has potential to be recovered • New technologies change the forensic landscape as well • Be prepared for incidents and know how to handle while preserving potential evidence • Be Forensic Ready! Be pro-active !
And then what ? • Do not forget about “traditional” forensics • Adjust NOW to the changing landscape ! • OWASP has a Forensic project opened in Aug • Let’s ALL contribute: – We will ALL provide our knowledge and questions – List of tools – Facts about current forensic techniques (detailed techstuff) – Your environments and challenges – Compose a Forensics Ready (Secure) Application framework – Create new tools ?
Thank you For any intermediate questions and suggestions: – marc@vest.nl (Marc Hullegie) – kees@vest.nl (Kees Mastwijk) www.vest.nl See you all at the “OWASP Forensic Guide Project” http://owasp.org/index.php/owasp_forensic_guide_project

Recommandé

Threats
ThreatsThreats
Threatssbmiller87
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 

Recommandé

Threats
ThreatsThreats
Threatssbmiller87
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Threats to data and information security
Threats to data and information securityThreats to data and information security
Threats to data and information securityJohn LEE
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideAntonio Sanz Alcober
 
online investigation
online investigationonline investigation
online investigationfortune777
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004Jason Hong
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics BootcampnCircle - a Tripwire Company
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collectiongagan deep
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 

Contenu connexe

Tendances

Threats to data and information security
Threats to data and information securityThreats to data and information security
Threats to data and information securityJohn LEE
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideAntonio Sanz Alcober
 
online investigation
online investigationonline investigation
online investigationfortune777
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004Jason Hong
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 

Tendances (20)

Threats to data and information security
Threats to data and information securityThreats to data and information security
Threats to data and information security
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hide
 
online investigation
online investigationonline investigation
online investigation
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
 

Similaire à Vest Forensics presentation owasp benelux days 2012 leuven

Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collectiongagan deep
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
Brief introduction to digital forensics
Brief introduction to digital forensics Brief introduction to digital forensics
Brief introduction to digital forensics Detectalix
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxtalkaton
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdftalkaton
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmontscm24
 

Similaire à Vest Forensics presentation owasp benelux days 2012 leuven (20)

Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Daniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfDaniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdf
 
Brief introduction to digital forensics
Brief introduction to digital forensics Brief introduction to digital forensics
Brief introduction to digital forensics
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
 

Dernier

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Vest Forensics presentation owasp benelux days 2012 leuven

  • 2. About Me Marc Hullegie Marc Hullegie is founder and CEO of Vest Information Security and is widely experienced in the information security business in all types of areas: Security Architecture and Infrastructure, Security Audits and Testing, Security Management, Awareness and Digital Forensics. He presents lectures at (international) conferences and is looking forward to share experiences at the OWASP Benelux days 2012 with you. Kees Mastwijk Kees Mastwijk is a security consultant working with Vest, acting as Security Auditor, Awareness Program leader and security Manager. He has a long (and ongoing) experience history in Digital Forensic Research.
  • 3. TALK OUTLINE Basics Principles Audit Trails Timeline Analysis Challenges BIG Data Solid State Drives Cloud Computing Changing forensic landscape Trends Triage Visualization And then What ?
  • 4. INVESTIGATION BASICS Why will people commit fraud / crime /’misbehavior’ / …. Fraud Triangle: • Opportunity – One has to be able to commit fraud • Motive – There is a ‘drive’ to commit fraud • Rationalization – Actions will be justified
  • 5. INVESTIGATION BASICS Understanding of the Fraud Triangle can be helpful for: • Formulating the investigation charter • Creating scenarios • Applicable for fraud & forensic investigations and securitytesting
  • 6. TYPES OF DIGITAL INVESTIGATIONS (due to the nature of the fraud / crime ..) • Against computersystems, e.g hacking, spam, • Where computersystems are used to commit fraud, stalking, harrassment
  • 7. CHARACTERISTICS OF GOOD EVIDENCE • Intact/integer • Relevant • Reproducable
  • 8. KNOW YOUR STUFF ! REQUIRED SKILLS AND KNOWLEDGE - Technical skills Understand what kind of evidence you are looking for, & - Investigative skills Being able to understand the value of the evidence in the case and translate highly technical findings to easy to understand report, being able to spot abnormalities - While maintaining the ‘chain of custody’
  • 9. BASICS Basic steps in a digital forensic investigation • Preparation • Acquisition of Evidence • Duplication • Extraction • Analysis • Reporting
  • 10. PREPARATION • Investigation Charter • Determine the scope and preconditions of the investigation • Determine potential locations of relevant evidence by means of type of investigation: - Network - Data carriers like hard disk drives, smartphones, USB drives etc - Memory - Etc.. Etc.. • Expectation Management / (Communication) • Create investigation Log (and maintain during the proces)
  • 11. ACQUISITION & PRESERVATION • NEVER conduct an investigation on original material • Acquire potential evidence following forensically sound procedures, tools and hardware • Use write-protected hardware and software that ensures the integrity of the copy • Duplicate the acquired evidence files to a secured back-up location • Note System config settings, especially time related
  • 12. EXTRACTION • Compound files (Zip/rar/certain e-mail archives) may need to be extracted in order to be able to search the files. • Transform data into usable investigation objects • Disk images contain potential ‘hidden’ evidence in file slack, unallocated clusters etc
  • 15. ANALYSIS • Select tooling to conduct analysis • Many tools available, specific for each type of investigation • Cross check and verify your findings. Do not rely on the results of one tool • Keep in mind the questions to be answered in the investigation or you will get lost
  • 16. REPORTING • Translate findings into a readable report • Be transparent in describing your investigative process • Answer the ‘W’ and ‘H’ questions: Who did What, When, Where, When, Why and How • Do not jump to conclusions! Be aware of tunnel visioning
  • 17. CHALLENGES IN DIGITAL FORENSICS • BIG data changes the way investigations will be conducted • Diversity of equipment used in today’s communications • Solid State Disks (SSD) reduces the likelihood of retrieving good evidence (if deleted previously) • Unclear where your data is: e.g. Cloud Computing changes potential source locations • Virtual Desktop Infrastructures • Compliancy rules limiting access to public records
  • 18. TRENDS IN DIGITAL FORENSICS – TRIAGE • Screening of potential evidence instead of creating a full disk image first, to efficiently and cost effective conduct digital investigations. Average storage in a system has increased substantially.
  • 19. TRENDS IN DIGITAL FORENSICS – TRIAGE - CONT Previewing and searching potential evidence saves a lot of time and storage. If a triaged systems contain sources of evidence, create a full disk image.
  • 20. TRENDS IN DIGITAL FORENSICS – VISUALIZATION • Visualize BIG data to correlate events, relationships, systems. • Profiling applications
  • 21. AUDIT TRAILS In a digital forensic context: ‘Chronological presentation of actions and events extracted from user or system generated information’
  • 22. SYSTEM GENERATED EVIDENCE Users have little understanding and awareness of presence of this kind of evidence! Some examples • NTUSER.DAT • Webserver logs • Index.dat files • Printspooler logs • E-mail headers • Registry files • Temp/tmp folders • Etc..
  • 23. USER CREATED EVIDENCE Some examples: • Pictures • (Open) Office documents • Internet history • Chat services • E-mails
  • 24. OTHER POTENTIAL EVIDENCE Call registers Attendance registers Surveillance video’s Etc.. Note: Mind regulations for privacy, proportionality and subsidiarity
  • 25. AUDIT TRAILS COMBINED Combining system generated, user generated along with additional information creates a complete audit trail Interrelate and correlate, minding proper synchronization and unique identifiers (don’t assume) (user williamsj does not have to be John Williams)
  • 26. FORENSIC READINESS • Be prepared for incidents, they WILL happen • Compliancy • Prevention • Early Warnings • Limit “damage” • Reduction of investigation cost/time • Effectiveness in sanction (HR/Legal/IT)
  • 27. CASE ‘Did speaker participate in OWASP Belenux 2012 conference’
  • 28. CASE – CONT Potential evidence: • Laptop speaker • Network/server logs • Smartphone • Call registers
  • 29. CASE – CONT Hard disk evidence • Keyword search • System file analysis
  • 30. CASE – CONT Hits • Unallocated clusters (system generated)
  • 31. CASE – CONT Hits • Pagefile (System generated)
  • 33. CASE – CONT Hits • Network data – firewall logs
  • 34. CASE – CONT Hits • E-mailmessages • Message tracking logs • Etc etc
  • 35. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Webserver : Logs • Application server/ Middleware: Logs • Database server: Logs, system tables, memory • Do not limit logfiles: verbose, and no overwrites
  • 36. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Applications: What have YOU instructed the application to log / record ?
  • 37. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • The application “Knows and Sees” a lot ! • CAPTURE THAT DATA: • Facilitate detailed logging for the purpose of audit trails: Who - e.g. Useraccount What - (sequence of) Activity When - Date/time stamps Where - IP-address, geo info, endpoint characteristics How - Application navigation behavior As much and detailed as possible ! Look across bridges, as far as you can see to both ends.
  • 38. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Where ? – (Additional) Log files – (system) Event log – Database ! • Mind: – Location and size – Access, Authorization … – Performance • Forensic principals to be included in your design !
  • 39. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS – CONT • Add monitoring, triggering mechanisms to your (forensic) logging to enhance the traceability with early warning and even prevention advantages. • It might also support your regular system debugging ;-)
  • 40. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS • Non-repudiation: Perform security tests so that fraudulent people cannot dispute their acts and the operation of your application. (They will tell your application environment sucks!) Proof they’re wrong !
  • 41. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC READINESS - CONT • And don’t forget the traditional forensic sources: • Not only application logs contain relevant information • Consider logs of servers, network peripherals, workstations, syslogs
  • 42. CONCLUSION • All activity as shown on screen has potential to be recovered • New technologies change the forensic landscape as well • Be prepared for incidents and know how to handle while preserving potential evidence • Be Forensic Ready! Be pro-active !
  • 43. And then what ? • Do not forget about “traditional” forensics • Adjust NOW to the changing landscape ! • OWASP has a Forensic project opened in Aug • Let’s ALL contribute: – We will ALL provide our knowledge and questions – List of tools – Facts about current forensic techniques (detailed techstuff) – Your environments and challenges – Compose a Forensics Ready (Secure) Application framework – Create new tools ?
  • 44. Thank you For any intermediate questions and suggestions: – marc@vest.nl (Marc Hullegie) – kees@vest.nl (Kees Mastwijk) www.vest.nl See you all at the “OWASP Forensic Guide Project” http://owasp.org/index.php/owasp_forensic_guide_project