Scribd
Upload
86 views16 pages

Digital Forensics - Uio: About Me

Eivind Utnes is the head of security and senior information security consultant at Watchcom Security Group AS. He works on security audits, digital forensics, incident response, and education. The document discusses incident response and the role of digital forensics in investigating security incidents. It covers incident response procedures such as triage, investigation, containment, analysis and recovery of systems. Digital forensics aims to find reliable digital evidence that can support legal cases by examining computers, networks and mobile devices using forensic tools and techniques.

Uploaded by

mohammed2015amine
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views16 pages

Digital Forensics - Uio: About Me

Eivind Utnes is the head of security and senior information security consultant at Watchcom Security Group AS. He works on security audits, digital forensics, incident response, and education. The document discusses incident response and the role of digital forensics in investigating security incidents. It covers incident response procedures such as triage, investigation, containment, analysis and recovery of systems. Digital forensics aims to find reliable digital evidence that can support legal cases by examining computers, networks and mobile devices using forensic tools and techniques.

Uploaded by

mohammed2015amine
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

About Me

I am:
Eivind Utnes, M.Sc.

I work for:
Watchcom Security Group AS

I work as:
Head of Security
Senior Information Security Consultant

Digital Forensics UiO Security Audits


Digital Forensics / Incident Response
Education

01.03.2016 Watchcom Security Group AS 2

Outline Digital Forensics in Incident Response

Incident Response
Digital Forensics
Finding Evidence

01.03.2016 Watchcom Security Group AS 3 01.03.2016 Watchcom Security Group AS 4


Businessinsider.com, 25.08.2013
Incident Management

Incident Response Policy


Incident Response Team

Incident Response

01.03.2016 Watchcom Security Group AS 5 01.03.2016 Watchcom Security Group AS 6

Incident Response Policy Incident Response Policy

Responsibility As an employee, if I discover an incident,


Who makes the decisions? what do I do?
Asset Priority The policy must include information on
Which systems can be taken offline? Chain of escalation
Which systems can absolutely not be taken How to prevent further damage
offline? How to preserve evidence until the Response
Outside Experts and Agencies Team can take over
Who you gonna call?
At what point is Law Enforcement involved?
01.03.2016 Watchcom Security Group AS 7 01.03.2016 Watchcom Security Group AS 8
Incident Response Team Red team Blue team

Permanent Derived from military wargames


Virtual Simulates an actual attack against the
Hybrid company
The Incident Response Team defends the
system from the attack

01.03.2016 Watchcom Security Group AS 9 01.03.2016 Watchcom Security Group AS 10

Pearl Harbor Red Team Incident Response Procedures

Triage
Investigation
Containment
Analysis
Tracking
Recovery

01.03.2016 Watchcom Security Group AS 11 01.03.2016 Watchcom Security Group AS 12


Triage Investigation and Containment

Weed out false positives Collect data


Categorize the event Mitigate the damage
Type of incident
Source of incident
Growth of incident
Damage potential of incident

01.03.2016 Watchcom Security Group AS 13 01.03.2016 Watchcom Security Group AS 14

Analysis and Tracking Follow-up (Postmortem)

What is the root cause of the incident? Fix the problem


Who Can we improve the Incident Response
How Policy?
When Disclosure
Why
Do we need to involve Law Enforcement?

01.03.2016 Watchcom Security Group AS 15 01.03.2016 Watchcom Security Group AS 16


Digital Forensics in Court
The BTK Killer Dennis Rader
Metadata in Word file led to arrest after 30 years

Digital Forensics

01.03.2016 Watchcom Security Group AS 17 01.03.2016 Watchcom Security Group AS 18

Digital Forensics in Court Digital Forensics in Court


Krenar Lusha Matt Baker
Search of laptop led to discovery of bomb-making equipment Suicide of wife ruled murder after incriminating google searches
is discovered 4 years later

01.03.2016 Watchcom Security Group AS 19 01.03.2016 Watchcom Security Group AS 20


Digital Forensics in Court Digital Forensics
Sharon Lopatka Known by many names
Emails on her computer led to her killer
Computer forensics
Corcoran Group
Evidence that data had been deleted led to conviction Network Forensics
Electronic Data Discovery
Cyberforensics
Forensic Computing

01.03.2016 Watchcom Security Group AS 21 01.03.2016 Watchcom Security Group AS 22

What is Digital Evidence? What is Digital Evidence?

Any digital data that contains reliable


information that supports or refutes a
hypothesis about an incident

01.03.2016 Watchcom Security Group AS 23 01.03.2016 Watchcom Security Group AS 24


What is Digital Evidence? The Forensic Investigation Process

Identification
Preservation
Collection
Examination
Analysis
Presentation

01.03.2016 Watchcom Security Group AS 25 01.03.2016 Watchcom Security Group AS 26

At the Crime Scene The Digital Forensic Toolkit


Document the crime scene Screwdrivers
Document who has access
Evidence bags
Document any contamination
Photograph everything Labels
Especially the screen Forensic software
Locate the media Write Blocker
Follow cables
Camera
Search for WiFi
If the computer is running, dump the RAM Notebook with numbered pages
Storage Large HDDs
01.03.2016 Watchcom Security Group AS 27 01.03.2016 Watchcom Security Group AS 28
Basic Scientific Principles Where is the Evidence?
1. Best evidence Network analysis
2. Minimal Intrusion Media analysis
3. Minimal Force
Software analysis
4. Minimal Interruption
Hardware analysis
5. Transparency
6. Chain of Custody
7. Primacy of the Mission
8. Impartiality
9. Documentation
01.03.2016 Watchcom Security Group AS 29 01.03.2016 Watchcom Security Group AS 30

When Dealing with Evidence Is the Evidence admissable?

R-OCITE How was it gathered?


Return How was it treated?
Or seize Who handled it?
Original
How reliable is it?
Clone
Is the Chain of Custody complete?
Image
Targeted copy
Extensive copy

01.03.2016 Watchcom Security Group AS 31 01.03.2016 Watchcom Security Group AS 32


Evidence categories Evidence categories
Conclusive Evidence Corroborative Evidence
This is fact That happened, because of this
Best Evidence Circumstantial Evidence
This is it That could have happened, because of this
Secondary Evidence Opinion Evidence
This how it looks Im an expert, this is what happened
Direct Evidence Hearsay Evidence
This is what I saw I heard this about that

01.03.2016 Watchcom Security Group AS 33 01.03.2016 Watchcom Security Group AS 34

Digital Evidence

Digital evidence is considered hearsay


Unless an expert vouches for it

Finding Evidence

01.03.2016 Watchcom Security Group AS 35 01.03.2016 Watchcom Security Group AS 36


Finding Evidence Hidden files

Many ways to hide evidence Setting the hidden flag on the file
Many ways to find evidence Placing illicit materials in folders named
Tax Stuff or Guest Lectures

01.03.2016 Watchcom Security Group AS 37 01.03.2016 Watchcom Security Group AS 38

Locating hidden files Changing File Extensions

We ignore the hidden flag by default When opening the file, the system returns
Forensic software can be set to show the an error message
whole drive as a flat drive, ignoring all Oh, I guess it is corrupted. Too bad.
folders

01.03.2016 Watchcom Security Group AS 39 01.03.2016 Watchcom Security Group AS 40


Changing File Extensions Discovering changed File Extensions

Some forensic software will point out files


with mismatched extensions
File signatures tells us what kind of file it is
Also called Magic Numbers

01.03.2016 Watchcom Security Group AS 41 01.03.2016 Watchcom Security Group AS 42

File signatures Example signature: JPEG

A hexadecimal code in the file


Examples:
25 50 44 46 = %PDF = PDF
49 44 33 = ID3 = MP3
FF D8 FF = = JPEG
42 4D = BM = BMP
4D 5A = MZ = EXE, COM, DLL

01.03.2016 Watchcom Security Group AS 43 01.03.2016 Watchcom Security Group AS 44


Obscure filenames Filenames not always necessary

Hide files by giving them innocent We use hashing algorithms to quickly look
sounding names for known files, and either note or ignore
Blueprints_iPhone7.jpeg becomes them
Florida vacation 001.jpeg Hash lists recognize known illicit files
Other lists recognize known good files
We can create our own

01.03.2016 Watchcom Security Group AS 45 01.03.2016 Watchcom Security Group AS 46

Encrypted Files Breaking Encryption

Strong encryption algorithms almost Recovering key from RAM


impossible to break Brute force
Sorry, Ive forgotten my 50 character long Exploiting weaknesses in the software or the
password. algorithm used (Cryptanalysis)
Some countries have laws that compel the
suspect to give up keys
Less ethical methods
Rubber-hose cryptanalysis
Black-bag cryptanalysis

01.03.2016 Watchcom Security Group AS 47 01.03.2016 Watchcom Security Group AS 48


Steganography Steganography example

Hiding a file inside another file


Hiding Nuclear Launch Codes.txt inside
Adorable Cat.jpeg

Inside one of these files the text This is a test. This is only a test. is hidden.

symantec.com, 02.11.2010
01.03.2016 Watchcom Security Group AS 49 01.03.2016 Watchcom Security Group AS 50

Steganography example Discovering Steganography

Hard to determine, unless you are looking


for it
Steganography software on the suspects
computer is a strong indicator

The ZeusVM malware uses image files to hide configuration files


digi.no, 19.02.2014
01.03.2016 Watchcom Security Group AS 51 01.03.2016 Watchcom Security Group AS 52
Deleting Files How does the System delete Files?

Deleting the files from the computer before Deleting a file does not actually remove it
law enforcement claims it In Windows, the file is renamed
You cant prove anything, there is nothing CorporateSecrets.txt
there. ~orporateSecrets.txt
This tells the system that the space is
available

01.03.2016 Watchcom Security Group AS 53 01.03.2016 Watchcom Security Group AS 54

How to reclaim it? What if the space has been overwritten?

Simplest way: Renaming! Pieces of data can be recovered from the


~orporateSecrets.txt file slack between files
CorporateSecrets.txt
The system no longer considers the space
AAAA BBBB CCCC DDDD 1111 2222 3333 4444
available
~AAA BBBB CCCC DDDD 1111 2222 3333 4444

XXXX YYYY ZZZZ DDDD 1111 2222 3333 4444

01.03.2016 Watchcom Security Group AS 55 01.03.2016 Watchcom Security Group AS 56


Metadata Using Metadata

What if we only have a file? Data about the file


When was the file last used?
When was the file created?
Who opened it?
Where was it created?
Can prove who had access to the file

01.03.2016 Watchcom Security Group AS 57 01.03.2016 Watchcom Security Group AS 58

Metadata Example Metadata Example

01.03.2016 Watchcom Security Group AS 59 01.03.2016 Watchcom Security Group AS 60


Metadata Example EOL

Questions?

01.03.2016 Watchcom Security Group AS 61 01.03.2016 Watchcom Security Group AS 62

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy