Advanced Game Theory and Gaining the Advantage in the ...
-
Upload
khangminh22 -
Category
Documents
-
view
3 -
download
0
Transcript of Advanced Game Theory and Gaining the Advantage in the ...
About Jenn Mastin
Employed at Nexigen
Forensics Investigator
Incident Response Engineer
Security Engineer
Bachelor of Science: Computer Information Technology - Network
Administration and Security
Email Address: [email protected]
Linked In: Jennifer Mastin
About Ty Braunwart
I work at Nexigen
Sr Forensics Engineer
Sr Incident Response Engineer
Sr Security Engineer
Penetration Tester
Email address: [email protected]
Linked in: Ty Braunwart
My Alphabet Soup
CCFE: Certified Computer Forensics Examiner
CHFI: Computer hacking forensic investigation
CEH: Certified Ethical Hacker v9
Bachelor of Science: Computer Information Technology - Network
Administration and Security
What is
Digital
Forensics?
Digital forensics is the process of uncovering and interpreting electronic data.
The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events.
What knowledge is need?
Networking and networking protocols
Server administration and
logs
Deep understanding on how different operating systems
work
Cloud and cloud services
Various printer functions and configurations
Programing HEX Email Etc. ….
Physical Tools
GO Bag/Box
Screwdrivers
Paper and pens
Chain of custody / Intake forms
Write blockers
Hard Disk, Hard Disk, did I mention Hard Disk
Camera
Flash light
Physical Tools
Forensics Laptop
Live CD/USB media
Cables for every possible device under the sun
Faraday bags
Security Tape/Strips
Network Tape
Etc. ….
Head phones and Music
Software Tools
Investigative software --- commercial or open source
eDiscovery suites --- commercial or open source
Mobile device viewing and backup software
Hex editor
Packet capture and viewing tools
Image viewer
Software to view emails
Software to view documents
Etc. …..
Digital Forensics Steps
Pre Show
Information Gathering / Scope
Securing the scene and identifying evidence
Evidence acquisition
Analysis of evidence looking for artifacts
Reaching a conclusion based on artifacts
Reporting / testifying
Cleaning data
Pre Show
Check Cables
Check Forensics Devices
Check All Forensics Workstations
Check Drives
Check Procedures
Check Skills and Education
Make sure you have enough forms for evidence
Information Gathering / Scope
Find out the Scope of work and what the client is looking for
Find out number devices involved and type
Find out any restrictions placed on the investigation
Find out if any business-critical devices are involved
Find out what data I could expect seeing
Find out where you will be allowed to work
Setup case number and who is going to be assigned to it
Securing the scene and identifying
evidence
Identify the scene and keep people from touching the evidence
Have the client identify each piece of evidence
Ask has anyone touched or modified any data before I got here
Start a chain of custody and evidence acquisition form for each piece of
evidence
Evidence Acquisition
Take pictures of the evidence and the scene
Inspect the first piece of evidence and produce a game plan
Collect artifacts based on volatility.
Make notes of every step you take and WHY you took them
Order of Volatility
Memory
Network connections
Running processes / loaded DLL
Users logged on
Hard drives / None volatile media
Memory
Take a snapshot of the memory and save it to an external location
Interacting with the computer in anyway modifies memory
Memory is constantly changing if the computer is on
The memory snapshot will be the same size of all the memory install on the
unit.
Network Connections
Get network connections active on the computer
Get list of listening ports on the computer
Hard drive / None volatile media
Make a image of the media either online or offline
Calculate the md5 and sha1 hash
Types of none volatile media
Magnetic Hard Drives
SSD Drives
Flash Drives
Zip Drives
CD / DVD
ETC.
Magnetic Hard Drives
Classic hard drive
Keeps data on drive until it is over written by another file or program
Slower to read and write from
Forensics examiners best friend
SSD Hard Drive
Solid State Drive
No moving parts
Faster Read and Write
Depending on configuration evidence could be destroyed
Becoming standard in most laptops and computers
Other Media
Flash Drives are everywhere.
CD / DVD still are used, but are becoming rare.
ZIP Drive losing competitor to Flash drives.
Floppy disk.
Magnetic tape drives.
SAS drives.
Stored on None Volatile Media
File system.
Folders.
Configuration files.
Pictures.
Documents.
Items that need to remain after reboot.
Collecting Data from Memory
Use a program like DumpIT to save a snapshot of the memory to an external
drive for later analysis. Once DumpIT is finished, run an md5 and/or sha1
hashing tool on the memory dump.
Once you remove power from the computer the memory will quickly start
losing data stored on the chips.
The size of the dump will be the total size of memory installed on the system.
This would be considered live data collection.
Collect Network Usage
Use network tools like netstat and save the results to an external storage
device.
Some of the network information will also be stored in the memory dump.
Use a LAN tap and a packet analyst tool to capture live network data.
This is also considered live data collection.
For over-all company network usage, you can reach out to the companies ISP
and they will be able to provide that information.
Running process
Use a process monitoring tool like processmon to view all processes running
on the system.
Use the memory dump to view the running processes.
Use task manager and take screen shots.
Save info to external storage device.
This is considered live data collection.
List of Active Users
Use task manager or another program to list Active Users.
System Logs can also be utilized to find active users if it is recorded.
Look in the memory dump.
This is considered live data collection.
Non-Volatile Media
Off-line collection.
Live collection.
Use an imaging software to make a raw disk image or E01 image.
Get md5/sha1 hashes.
Make copies of the images and work off of them exclusively.
Non-Volatile Live Collection
Use FTK, DD, or any other software to make a disk image of the drive and
save it to an external storage device.
Not the most forensically sound method but some times your only choice.
Total size of disk image will be the same size as total disk space of the
system.
Non-Volatile Offline Collection
Power off the system.
Remove the drive.
Connect the drive to a write blocker.
Run imaging tools to make disk image and save to external storage.
Make md5/sha1 hashes of image.
Analysis of Evidence for Artifacts
Work off a copy of the disk image you made from earlier.
Focus on location or items that will help answer your clients questions.
This is where understanding how different Operating Systems work, how they
process and how they store information is important.
Take detailed notes on everything you find and the process/procedures taken.
Look at one piece of evidence at a time.
Coming to a Conclusion Based on
Artifacts
This is the big thing you are getting paid for. It is your job to interpreted the
facts and explain in a way that anyone can understand it.
You need to understand how the artifacts are created and stored.
You need to have strong evidence to support you conclusion.
Reporting / Testifying
Remember the high school science reports you had to write.
Make sure any competent person can repeat your steps and get the same
results.
Remember the notes you were taking the whole time.
Use your hashes.
Write all reports as if it is going to go before a court of law.
The report sets the stage for how people see you.
Only include the facts.
Cleaning Data
This might happen seconds or years after the conclusion of the case.
Zero out your drives.
Make sure all resources collected is returned to their owner/s (have them sign
the Chain of Custody Sheet).
Remove any evidence saved on your forensics computer.
Review how the case went and make changes or improvements.
See Pre show
Lab Time
Sign into NKU Secure/Encrypted with the csc_cyberXX user.
Sign into https://coivcenter1.hh.nku.edu this site only works when you are
“inside” NKU’s network.
Workstation Password: Work-2018;
Lab time
Lab 1: Hacker Man
What operating system was used on the computer?
Who is the registered owner?
What is the computer account name?
What is the account name of the user who mostly uses the computer?
What is the primary domain name?
List all installed programs that may be used for hacking?
List 3 IRC channels that the users of the computer access?
List the network cards used by this computer
Answers
What operating system was used on the computer?
Windows XP
Who is the registered owner?
Greg Schardt
What is the computer name?
N-1A9ODN6ZXK4LQ
What is the account name of the user who mostly uses the computer?
Mr. Evil
What is the primary domain name?
Evil
List the network cards used by this computer
Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)
Compaq WL110 Wireless LAN PC Card
Answers
List all installed programs that may be used for hacking?
Cain & Abel v2.5 beta45 (password sniffer & cracker)
Ethereal (packet sniffer)
123 Write All Stored Passwords (finds passwords in registry)
Anonymizer (hides IP tracks when browsing)
Look&LAN_1.0 (network discovery tool)
NetStumbler (wireless access point discovery tool)
Answers
List 3 IRC channels that the users of the computer access?
Ushells.undernet.log
Elite.hackers.undernet.log
Mp3xserv.undernet.log
Chataholics.undernet.log
Cybercafé.undernet.log
M5tar.undernet.log
Thedarktower.afternet.log
Funny.undernet.log
Luxshell.undernet.log
Evilfork.efnet.log
Iso-warez.efnet.log
Houston.undernet.log
Question
What OS is installed on the image?
What is the timezone setting?
What is the computer name?
Who was the last user to logon into PC?
What websites were the suspect accessing?
what was the email address of the suspect?
List all e-mails of the suspect. If possible, identify deleted e-mails?
(You can identify the following items: Timestamp, From, To, Subject, Body, and
Attachment)
What anti-forensics tools or documents are located on the computer?
What is the IP address of company’s shared network drive?
what file were uploaded to the Internet and what application was used?
What account was use to login to google drive?