sh#3 incident forensics

RISK = IMPACT x PROBABILITY

Source: OWASP Testing Guide (www.owasp.org)

INCIDENT INVESTIGATIONLessons Learned

Everyone wants to cover their ass

Incidents happen when…

ISV often have IT Infrastructure CHAOS

Clients Like to Repeat Mistakes

R&D Security“To serve and protect”

Participants Inquiry

Tools (general)Computer Aided Investigative Environment (CAIE), Amazon EC2, VMware vCenter, Cent OS Linux, dd, netstat, utmpdump, debugfs, stat, dbg, find, lsof, whois, nslookup, winscp, domain tools, Metasploit Framework, OpenVAS, skypelogview, ProcHeapViewer, MessengerPasswordDecryptor, Wireshark, outlookattachview, chromepass, FirePasswordViewer, Elcomsoft Distributed Password Recovery

Classical Hack

Who is guilty?

Romanian Hacker

?

PART II: Workshop

Take Down Dr. Evil

Story

Dr. Evil has been on the run for months since stealing sensitive information from his former employer Factory Made Winning Pharmaceuticals (FMWP) and creating an explosion in their labs to fake his own death. The body was never recovered and no evidence of his existence has surfaced … until now.

The 1337 pill was going to be the company's new flagship drug.

You are the Forensic Investigator hired to analyze the mobile network traffic.

Are you ready ?

ROUND ONE: Flight Plans

Dr. Evil is planning his escape. We know he is using an mobile device with various applications. Investigators need to stay hot on his trail. Can you figure out his escape plan?

1.1) What is the name of the application Dr. Evil used to search for flights? 1.2) What is the date of his first flight?1.3) What are the airport codes in order for each leg of Dr.Evil trip? (beginning with the originating airport and ending at his final destination ex. “aaa-bbb,bbb-ccc,ccc-ddd,ddd-eee”)

210 HONOLULU349 0:A:SLC:LAX:DL:2241:Mar:20:2012:0:A:GEG:SLC:DL:4442:Mar:20:2012:delta.comPrice=841.59$AndroidKayak/5.0.1Android 4.0.3

HONOLULU

ROUND TWO: Secret Meeting

Before Dr. Evil left for his flight, he had to take care of some business with a prospective buyer for the 1337 pill formula. This packet capture begins at the start of his trip and ends when he reaches his estimation.

2.1) One time during his trip, the doctor used his mobile device to search for the name of his destination. What were his search terms? 2.2) At the moment that the doctor searched for the name of his destination, what were his GPS coordinates? 2.3) During the trip, Dr.Evil mobile device alerted him that he was within eight hundred meters of another person. Based on the alert in the packet capture, was this person male or female?2.4) At what time did Dr.Evil arrive at his destination (in UNIX epoch time)?

376 TCPSamantha Female5077frame.time_epoch == 1331150170.516925000

Samantha

Thank you for attention.

Questions?