![Page 1: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/1.jpg)
Forensics for Cybersecurity
Pete Dedes, CCE, GCFA, GCIH
![Page 2: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/2.jpg)
WHO AM I?
– Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security• Education
– Bachelor’s of Science – Computer Science, University of Tennessee
• Certifications:– CCE – Certified Computer Examiner– GCFA – GIAC Certified Forensic Analyst– GCIH – GIAC Certified Incident Handler– Licensed Private Investigator in State of Tennessee
• Digital Forensics– Intellectual Property Theft– Domestic Cases– Unlawful Termination– Computer Usage Policies– Electronic Discovery– Mobile Device Forensics
• Security Analyst / Incident Handler– Network Vulnerability Assessments and Penetration Tests– Sensitive Data Discovery– Security Assessments– Incident Response
![Page 3: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/3.jpg)
PRIMER - INCIDENT RESPONSE
– Preparation – plan the IR capability, but also prevent incidences by ensuring a secure system, applications, and networks.
– Identification and Scoping – security team discovers an incident, or is notified by a 3rd party (LE or SOC). Proper identification of ALL compromised systems is important.
– Containment / Intelligence Gathering
– Eradication/Remediation
– Recovery
– Follow Up/Lessons Learned
![Page 4: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/4.jpg)
WHAT IS EVIDENCE?
• Anything that can be collected from the systems under investigation.
• Anything that can be used to prove or disprove a fact.
![Page 5: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/5.jpg)
WHAT IS FORENSICS?
• Recovery and investigation of material found in digital devices:
– Criminal/Civil Cases
– Network Forensics
– Mobile Forensics
![Page 6: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/6.jpg)
WHY BOTHER WITH INTELLIGENCE GATHERING?
• Reasons why we collect and analyze evidence:
– Prepare to prevent future breaches (plug the holes).
– Determine what the target was.
– Assess what valuable information was exposed/exfiltrated.
– Fulfill an obligation to disclose (Breach Notification Policy).
![Page 7: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/7.jpg)
EVIDENCE COLLECTION
The part of the intelligence gathering stage in incident response:
• Attackers try to cover their tracks to make discovery difficult so they can continue operating undetected. They also want to keep their methods secret to prevent future defensive measures.
• When an incident is discovered, we’re compelled to get things back to normal. This risks destroying valuable information about the attack in the process. To prevent future attacks of the same kind, we need to understand as much as we can about the current one.
• We need to take the time and effort to preserve computers, logs of all kinds, computer memory if possible, user information and any other pertinent information before the evidence is destroyed.
![Page 8: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/8.jpg)
EVIDENCE
– Types
• Hard drives, memory, removable media.
• Process information, network connections, log files and user information.
– Methods
• Forensically sound collections. Avoid data loss. Collect information in the correct order.
• Store an original copy of evidence and only work on copies of the original.
![Page 9: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/9.jpg)
IF LITIGATION COULD RESULT…
• Start a Chain of Custody form
• Generate, verify and store Hash Values (MD5, SHA1, etc)
• Create Forensic Images whenever possible
• Document everything about the collection. You will need to ensure integrity. How evidence was obtained and the process of collection.
• Store originals and copies in a access-controlled area.
![Page 10: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/10.jpg)
![Page 11: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/11.jpg)
STATIC DATA VS VOLATILE DATA
• Collecting evidence in the correct order is key.
• Some systems must be collected live if no other options exist, or if it is important to capture the state of a system (current processes).
• Shutting down a system can destroy valuable evidence (temp files removed, processes stopped, memory cleared).
![Page 12: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/12.jpg)
COLLECTING THE EVIDENCE
• Hard Drive Images
• Memory Dump
• Copies of Removable Media
• Mobile Devices
• Network Log Files
• Virtual Machines
![Page 13: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/13.jpg)
TOOLS FOR COLLECTING EVIDENCE
• Write-Blockers – Tableau, Thumbscrew, HardCopy, DiskJocky, Firefly
• Software – FTK Imager, Sumuri, Linux dd commands
• F-Response – Remote Acquisition
• UFED, Lantern – Mobile Device
• Wireshark – Live Network Capture, Offline Analysis
Reference: www.forensicswiki.org
![Page 14: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/14.jpg)
STATIC ACQUISITION
![Page 15: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/15.jpg)
LIVE ACQUISITION
![Page 16: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/16.jpg)
OSX FROM BOOT DISK
![Page 17: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/17.jpg)
MEMORY ANALYSIS
![Page 18: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/18.jpg)
REMOVABLE DEVICES
![Page 19: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/19.jpg)
PHONE ACQUISITIONS
![Page 20: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/20.jpg)
SMART PHONE
![Page 21: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/21.jpg)
SMART PHONE GEO-ANALYSIS
![Page 22: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/22.jpg)
VIRTUAL MACHINE EXPORT
![Page 23: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/23.jpg)
NETWORK LOGS
![Page 24: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/24.jpg)
WHAT IS DONE WITH THE EVIDENCE?
• Copies given to a security company for forensic analysis
• In-house analysis if so equipped
• Looking for:
– Root source of breach
– Damages incurred
– Spread of breach throughout the network
![Page 25: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/25.jpg)
CONCLUSION
• Acquire the tools needed for your environment.
• Get familiar with the tools.
• Know what network devices to pull logs from.
![Page 26: Forensics for Cybersecurity...•Create Forensic Images whenever possible •Document everything about the collection. You will need to ensure integrity. How evidence was obtained](https://reader033.vdocuments.us/reader033/viewer/2022050107/5f44e7f8d7243f05e3304f4e/html5/thumbnails/26.jpg)
QUESTIONS?
• Thank you for your time today.
• I would be happy to answer any questions