(120804) #fitalk field device
TRANSCRIPT
![Page 1: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/1.jpg)
FORENSIC INSIGHT SEMINAR
Discussionyk #1 : Field device
ykei
ykei.egloos.com
@ykx100
![Page 2: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/2.jpg)
forensicinsight.org Page 2 / 21
개요
1. Background
2. Problems
3. When I met SCADA
4. Discussion topic
![Page 3: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/3.jpg)
forensicinsight.org Page 3 / 21
Background
- What is a field device
- Why we need to care this
![Page 4: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/4.jpg)
forensicinsight.org Page 4 / 21
Background
What is a field device in here?
![Page 5: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/5.jpg)
forensicinsight.org Page 5 / 21
Background
Why we need to care this?
Fxxk the mass-media
Have to cross check → Be trustworthy
For find the smoking-bit (specially, manipulate digital evidence)
no way without this
Ma j o r t h r e a t f o r e n s i c a t o r s
![Page 6: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/6.jpg)
forensicinsight.org Page 6 / 21
Problems
- Issues that I met
- Example
![Page 7: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/7.jpg)
forensicinsight.org Page 7 / 21
Problems
Issues If
Interfaces It hasn’t usb, cdrom, display, keyboard, ethernet
FileSystem Mount Do not support NTFS? or trouble in recognize
OS Compatibility tools No excutable imaging tool, even DD
The risk of system failure We have no time for verification situation.
Capacity / Time Another headache factors
Of c ou r s e , w e h a ve t o k e ep i n t e g r i t y o f e v i d en c e ! Can you a c c omp l i s hmen t t h i s m i s s i o n ?
![Page 8: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/8.jpg)
forensicinsight.org Page 8 / 21
Problems
Examples
Router / Switch
• Telnet, Console Connection
• But No Imaging tools
Home Router (Wire, Wireless)
• Telnet, Web Admin
• No Imaging tools (but It can be execute static DD binary)
Home SCADA
• Nothing !! Just opened stupid console
![Page 9: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/9.jpg)
forensicinsight.org Page 9 / 21
When I met SCADA
- Case Studyk
![Page 10: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/10.jpg)
forensicinsight.org Page 10 / 21
I Thinks… case
Case Studyk
![Page 11: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/11.jpg)
forensicinsight.org Page 11 / 21
When I met SCADA
Case Studyk
![Page 12: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/12.jpg)
forensicinsight.org Page 12 / 21
When I met SCADA
Case Studyk
Prepare
![Page 13: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/13.jpg)
forensicinsight.org Page 13 / 21
When I met SCADA
Case Studyk
See pic…
Sorry
![Page 14: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/14.jpg)
forensicinsight.org Page 14 / 21
When I met SCADA
Case Studyk
Log
![Page 15: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/15.jpg)
forensicinsight.org Page 15 / 21
When I met SCADA
Case Studyk
Test
![Page 16: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/16.jpg)
forensicinsight.org Page 16 / 21
When I met SCADA
Case Studyk
Vaccine
![Page 17: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/17.jpg)
forensicinsight.org Page 17 / 21
When I met SCADA
Case Studyk
Un-detect malware
![Page 18: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/18.jpg)
forensicinsight.org Page 18 / 21
When I met SCADA
Case Studyk
detect malwares
![Page 19: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/19.jpg)
forensicinsight.org Page 19 / 21
When I met SCADA
Case Studyk
Remote Control
• RDP, Neturo
![Page 20: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/20.jpg)
forensicinsight.org Page 20 / 21
Discussion topic
![Page 21: (120804) #fitalk field device](https://reader033.vdocuments.mx/reader033/viewer/2022042907/587efc971a28ab35528b645f/html5/thumbnails/21.jpg)
forensicinsight.org Page 21 / 21
Discussion topic
Case Studyk
What is the data for forensicators?
Disk / Memory Image? Log files?
How can we more preserve evidence?
• Imaging is very ideal option.
• FTP? / File copy?
How can we keep integrity for chain of custody?
• File Hash? / Documents(kind of agreements?) / Burning CD?
How can we acquire field device?
• Router, Gateway, Switch, Home network device, even SCADA?
• Forensic Acquisition tools? / DD? / file copy? / Cold imaging?