bsidesto - incident response for cheapskates
DESCRIPTION
My talk for BSides Toronto 2013 outlining the cost effective ways to conduct incident rest and digital forensics in the real world.TRANSCRIPT
![Page 1: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/1.jpg)
Incident Response Incident Response for Cheapskatesfor Cheapskates
Lee BrotherstonLee Brotherston
![Page 2: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/2.jpg)
Let's define anLet's define an
IncidentIncident
![Page 3: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/3.jpg)
Where can we Where can we
Improve?Improve?
![Page 4: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/4.jpg)
HijackHijack Integrate with Integrate with
ExistingExistingprocessesprocesses
![Page 5: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/5.jpg)
Roles &Roles &ResponsibilitiesResponsibilities
![Page 6: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/6.jpg)
Determine theDetermine the
RulesRulesof engagementof engagement
![Page 7: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/7.jpg)
LeverageLeverage existing existing
toolstools
![Page 8: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/8.jpg)
Relationships andRelationships and
PoliticsPolitics
![Page 9: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/9.jpg)
SIEM'lessSIEM'lessIntelligenceIntelligence
![Page 10: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/10.jpg)
Live systemLive systemForensicsForensics
![Page 11: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/11.jpg)
SniperSniperForensicsForensics
![Page 12: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/12.jpg)
Memory Analysis withMemory Analysis with
VolatilityVolatility
![Page 13: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/13.jpg)
The Sleuth Kit +The Sleuth Kit +
AutopsyAutopsy
![Page 14: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/14.jpg)
But... Encase & hardwareBut... Encase & hardware
WriteWriteBlocker?Blocker?
![Page 15: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/15.jpg)
![Page 16: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/16.jpg)
![Page 17: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/17.jpg)
Oxford SemiconductorOxford Semiconductor
OXUF922 Bridge ChipOXUF922 Bridge Chip
Oxford SemiconductorOxford Semiconductor
OXUF922 Bridge ChipOXUF922 Bridge Chip
AgereAgereFW801FW801AgereAgereFW801FW801
FlashFlashSSTSST
39VF10039VF100
FlashFlashSSTSST
39VF10039VF100
RAMRAMIDTIDT
71V016SA71V016SA
RAMRAMIDTIDT
71V016SA71V016SA
FirewireFirewireFirewireFirewire
USBUSBUSBUSB IDEIDEIDEIDE
Write Blocker DiagramWrite Blocker Diagram
![Page 18: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/18.jpg)
ArmArmProcessorProcessor
OXUF922 Bridge ChipOXUF922 Bridge Chip
DMADMA1394 / USB / 1394 / USB / UART / IDE / UART / IDE / SerialSerial
QueueQueueManagerManager
RAMRAM ControlControl
![Page 19: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/19.jpg)
Hardware Write BlockersHardware Write Blockers
Run Software!Run Software!
Attribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahon
![Page 20: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/20.jpg)
Taking an image withTaking an image with
dc3dd / dddc3dd / dd
![Page 21: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/21.jpg)
# parted /mnt/usbdsk/target0_img.dd # parted /mnt/usbdsk/target0_img.dd GNU Parted 2.3GNU Parted 2.3Using /mnt/usbdsk/target0_img.ddUsing /mnt/usbdsk/target0_img.ddWelcome to GNU Parted! Type 'help' to view a list of commands.Welcome to GNU Parted! Type 'help' to view a list of commands.(parted) unit(parted) unitUnit? [compact]? B Unit? [compact]? B (parted) print (parted) print Model: (file)Model: (file)Disk /mnt/usbdsk/target0_img.dd: 500107862016BDisk /mnt/usbdsk/target0_img.dd: 500107862016BSector size (logical/physical): 512B/512BSector size (logical/physical): 512B/512BPartition Table: msdosPartition Table: msdos
Number Start End Size Type FileNumber Start End Size Type File 1 1048576B 210763775B 209715200B primary ntfs1 1048576B 210763775B 209715200B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs2 210763776B 107586662399B 107375898624B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs3 107586662400B 479341645311B 371754982912B primary ntfs 4 479341645312B 500103450111B 20761804800B primary diag4 479341645312B 500103450111B 20761804800B primary diag
(parted) quit(parted) quit
# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/
# ls /mnt/image/# ls /mnt/image/pagefile.sys Program Files System Volumepagefile.sys Program Files System VolumeInformation Documents and Settings PerfLogsInformation Documents and Settings PerfLogsProgram Files (x86) Recovery UsersProgram Files (x86) Recovery UsersProgramData $Recycle.BinProgramData $Recycle.BinWindowsWindows
![Page 22: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/22.jpg)
What about virtualisedWhat about virtualised
Environments?Environments?
![Page 23: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/23.jpg)
Free Forensics ToolsFree Forensics Tools
vs Encasevs Encase
![Page 24: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/24.jpg)
Data & File AnalysisData & File Analysis
ToolsTools
![Page 25: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/25.jpg)
For starters tryFor starters try
C.A.IN.EC.A.IN.E(Linux LiveCD)(Linux LiveCD)
![Page 26: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/26.jpg)
RemediationRemediationCleanup/Shutdown/ProsecuteCleanup/Shutdown/Prosecute
![Page 27: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/27.jpg)
Lessons Learned. Let'sLessons Learned. Let's
Market!Market!
![Page 28: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/28.jpg)
Thank youThank youAny Questions?Any Questions?
Lee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - [email protected]@nerds.org.ukLee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - [email protected]@nerds.org.uk
![Page 29: BSidesTO - Incident Response for Cheapskates](https://reader036.vdocuments.mx/reader036/viewer/2022081404/559dcbe91a28ab69368b4687/html5/thumbnails/29.jpg)
Some Things I MentionedSome Things I Mentioned● Flow-tools: Flow-tools: http://www.splintered.net/sw/flow-http://www.splintered.net/sw/flow-tools/tools/
● Sleuthkit & Autopsy: Sleuthkit & Autopsy: http://www.sleuthkit.org/http://www.sleuthkit.org/
● Volatility: Volatility: https://www.volatilesystems.com/defaulthttps://www.volatilesystems.com/default/volatility/volatility
● C.A.IN.E:C.A.IN.E:
http://www.caine-live.net/http://www.caine-live.net/
● Dc3dd: Dc3dd: http://sourceforge.net/projects/dc3dd/http://sourceforge.net/projects/dc3dd/