digital forensics for cyber defense - (isc)² middle...
TRANSCRIPT
Digital Forensics for Cyber Defense
Frameworks to Structure Analysis
Digital Forensics for Cyber Defense - DisclaimerThe contents of this presentation are not my own
views and do not represent that of my employer.
The contents of this presentation draw upon
publicly available information and my own
perceptions in a best effort to create awareness on
the contained subject matter. Enjoy the show...
Digital Forensics for Cyber Defense - #WHOAMI.@home:~$ whoami
PeterStaarfanger
.@home:~$ uptime
13 Years+
.@home:~$ service –-status-all
[ + ] Master of Science, Information Security, Capella University, 2007
[ + ] Bachelors of Science, Computer Science, Columbus State University, 2004
[ + ] Associates of Applied Science, Criminal Justice, Columbus State University, 2000
[ + ] GXPN - GIAC Exploit Researcher and Advanced Pen Tester, 2018
[ + ] GREM - GIAC Reverse Engineering Malware, 2017
[ + ] CFSR - Certified Forensic Security Responder, 2016
[ + ] CBE - Certified Blacklight Examiner, 2016
[ + ] CMO - Certified Mobile Operator,, 2016
[ + ] ASA - Arcsight Advanced Security Analyst, 2016
[ + ] EnCE - Encase Certified Examiner, 2015
[ + ] ISSEP - Information Systems Engineering Professional, 2011
[ + ] CISSP - Certified Information Security Systems Professional, 2008
[ + ] CHFI - Certified Hacking Forensic Investigator, 2009
[ + ] CEH - Certified Ethical Hacker, 2008
[ + ] CSFA - Certified Stonegate Firewall Architect, 2012
[ + ] CCNA - Cisco Certified Network Associate, 2007 (expired)
[ + ] SECURITY+ - 2005
[ + ] NETWORK+ - 2005
[ + ] DOD Incident Handler Certified - 2005
.@home:~$ uname –a
Cyber Defense Forensic Analyst Lead
.@home~$ ls -1
Malware Risk and Mitigation Report
Mobile Technology Layered Security Model
A Malware Analysis Story
Memory Analysis for Responders
Digital First Response Blog
Exploit2Forensics
Digital Forensic Analyst as a Career
Digital Forensics for Cyber Defense Part 1 & 2 :)
Digital Forensics for Cyber Defense -Overview- Modern IT Environment
- Digital Forensics and Incident Response
- Cyber Defense Perspective
- Tactics for Digital Forensics
- Analysis Approaches
- Your Forensic Community Matters!
Modern IT Environment
Digital Forensics and Incident Response
NIST SP 800-61NIST SP 800-86
Cyber Defense PerspectiveLOCKHEED MARTIN’s “CYBER KILL CHAIN ®”
David J Bianco’s “Pyramid of Pain”
Center for Cyber Threat Intelligence and Threat Research “Diamond Model”
Cyber Defense Perspective - Know Defense Know Offense
Tactics for Digital Forensics
Network and Log Forensics
It is possible to have an environment where full network recording is recording
but it is more likely that logs are being collected.
Memory Forensics
Time is expensive and volume of data to analysis is not your friend. Memory capture can require more effort then checking collecting logs.
Cloud Forensics
If your solution is Application-As-A-Service or Platform-As-A-Service and in scope this
might be your first stop..
Firmware Forensics
This can be very technical and may require very specialized tools.
Media Forensics
Storage can be large and form factors vary. Time cost is much higher.
05
01
02 03
04
Cloud Forensics
Cloud ForensicsAll those devops tools (from HostAdvice):
Network and Log Forensics1. Know your Protocols
a. 7-Layer (OSI Model) or 4-Layer (rfc1122)
b. Know Common Ports, Know Common Protocol by Layer, Know Common
Applications
c. Understand the Network Environment and IP Addressing (rfc1918)
Network and Log Forensics2. Know your Applications and Operating Systems(OS)
a. Get an accurate Inventory of OS(es) and Applications owned by the company
b. Check by product what logs are available and what is being collected
c. Understand what normal looks like
3. Know your Tools
a. Packet Capture Tools
b. Log Collection and Analysis Tools
c. Know Common Security Products and where they operate
d. Learn a 4th Generation Programming Language!
Memory Forensics1. Know your Layers
a. RFC3227 - Guidelines for Evidence Collection and Archiving (See Order of Volatility)
b. Understand the CPU and it’s Protection Rings
c. Understand Memory Layout
d. Understand differences between Physical (Page Frames) vs Virtual Memory (Page)
e. Understand the organization of Virtual Memory
f. Understand the How the Operating Systems perform Memory Management
2. Know your Toolsa. Memory Acquisition Tools (Virtual vs Physical Devices)
b. Memory Analysis Tools (Structured and Unstructured)
c. Memory Carving Tools (Structured and Unstructured)
d. Learn a 4th Generation Programming Language!
Media ForensicsKnow your Layers and Tools!
Brian Carriar’s File System Forensic Analysis1. Acquisition Tools (Scoping!)2. Analysis Tools (Structured and
Unstructured)3. Carving Tools (Structured and
Unstructured)4. Learn a 4th Generation
Programming Language5. Understand the different
types of media/hardware in use
Firmware Forensics1. Know your Layers
a. Supply Chain Attacks and/or Bios Exploitation
b. Flash Memory on the Motherboard (Check the
vendor documentation)
c. Understand Memory Ranges assignment by OS
2. Know your toolsa. Firmware Acquisition (Physical or Logical)
b. Firmware Analysis (Hex Editors and Dissemblers!)
c. Firmware Carving Tools
Analysis Techniques1. Temporal Analysis
2. Differential Analysis
3. Anomaly Based Analysis (think lolbins!)
4. Signature Based Analysis
5. Rule Based Analysis
6. Keyword Search and Proximity Analysis
7. Static Analysis
8. Code Analysis
9. Dynamic Analysis
10.Statistical Analysis
Your Forensic Community Matters
DISCLAIMER1. FOLLOW THE LAWS OF THE COUNTRY THE EVIDENCE IS EXPECTED TO BE COLLECTED IN!
1. FOLLOW ANY ESTABLISHED RULES FOR THE COUNTRY OR COMPLIANCE FRAMEWORKS THAT ARE APPLICABLE TO THE EVIDENCE!
1. FOLLOW ESTABLISHED PRACTICES FOR FORENSICS! (ISO27037, ISO27041 thru ISO27043, ISO17025, SWGDE, PCI PFI, ISFCE, IACIS)
1. THE DAUBERT STANDARD! (NOTE THIS IS FROM THE USA)a. Whether the theory or technique employed by the expert is generally accepted in
the scientific community;b. Whether it has been subjected to peer review and publication;c. Whether it can be and has been tested;d. Whether the known or potential rate of error is acceptable; ande. Whether the research was conducted independent of the particular litigation or
dependent on an intention to provide the proposed testimony.
Digital Forensics for Cyber Defense - DiscussionThank you for your time!