sh#3 incident forensics
DESCRIPTION
Presentation about real life securityTRANSCRIPT
![Page 1: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/1.jpg)
![Page 2: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/2.jpg)
![Page 3: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/3.jpg)
RISK = IMPACT x PROBABILITY
![Page 4: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/4.jpg)
![Page 5: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/5.jpg)
![Page 6: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/6.jpg)
Source: OWASP Testing Guide (www.owasp.org)
![Page 7: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/7.jpg)
![Page 8: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/8.jpg)
![Page 9: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/9.jpg)
INCIDENT INVESTIGATIONLessons Learned
![Page 10: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/10.jpg)
Everyone wants to cover their ass
![Page 11: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/11.jpg)
Incidents happen when…
![Page 12: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/12.jpg)
ISV often have IT Infrastructure CHAOS
![Page 13: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/13.jpg)
Clients Like to Repeat Mistakes
![Page 14: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/14.jpg)
R&D Security“To serve and protect”
![Page 15: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/15.jpg)
Participants Inquiry
![Page 16: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/16.jpg)
Tools (general)Computer Aided Investigative Environment (CAIE), Amazon EC2, VMware vCenter, Cent OS Linux, dd, netstat, utmpdump, debugfs, stat, dbg, find, lsof, whois, nslookup, winscp, domain tools, Metasploit Framework, OpenVAS, skypelogview, ProcHeapViewer, MessengerPasswordDecryptor, Wireshark, outlookattachview, chromepass, FirePasswordViewer, Elcomsoft Distributed Password Recovery
![Page 17: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/17.jpg)
Classical Hack
![Page 18: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/18.jpg)
Who is guilty?
![Page 19: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/19.jpg)
Romanian Hacker
![Page 20: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/20.jpg)
?
![Page 21: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/21.jpg)
PART II: Workshop
Take Down Dr. Evil
![Page 22: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/22.jpg)
Story
Dr. Evil has been on the run for months since stealing sensitive information from his former employer Factory Made Winning Pharmaceuticals (FMWP) and creating an explosion in their labs to fake his own death. The body was never recovered and no evidence of his existence has surfaced … until now.
![Page 23: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/23.jpg)
The 1337 pill was going to be the company's new flagship drug.
![Page 24: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/24.jpg)
You are the Forensic Investigator hired to analyze the mobile network traffic.
Are you ready ?
![Page 25: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/25.jpg)
ROUND ONE: Flight Plans
Dr. Evil is planning his escape. We know he is using an mobile device with various applications. Investigators need to stay hot on his trail. Can you figure out his escape plan?
![Page 26: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/26.jpg)
1.1) What is the name of the application Dr. Evil used to search for flights? 1.2) What is the date of his first flight?1.3) What are the airport codes in order for each leg of Dr.Evil trip? (beginning with the originating airport and ending at his final destination ex. “aaa-bbb,bbb-ccc,ccc-ddd,ddd-eee”)
![Page 27: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/27.jpg)
210 HONOLULU349 0:A:SLC:LAX:DL:2241:Mar:20:2012:0:A:GEG:SLC:DL:4442:Mar:20:2012:delta.comPrice=841.59$AndroidKayak/5.0.1Android 4.0.3
HONOLULU
![Page 28: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/28.jpg)
ROUND TWO: Secret Meeting
Before Dr. Evil left for his flight, he had to take care of some business with a prospective buyer for the 1337 pill formula. This packet capture begins at the start of his trip and ends when he reaches his estimation.
![Page 29: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/29.jpg)
2.1) One time during his trip, the doctor used his mobile device to search for the name of his destination. What were his search terms? 2.2) At the moment that the doctor searched for the name of his destination, what were his GPS coordinates? 2.3) During the trip, Dr.Evil mobile device alerted him that he was within eight hundred meters of another person. Based on the alert in the packet capture, was this person male or female?2.4) At what time did Dr.Evil arrive at his destination (in UNIX epoch time)?
![Page 30: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/30.jpg)
376 TCPSamantha Female5077frame.time_epoch == 1331150170.516925000
Samantha
![Page 31: Sh#3 incident forensics](https://reader034.vdocuments.mx/reader034/viewer/2022051314/54c265f24a7959dc028b456b/html5/thumbnails/31.jpg)
Thank you for attention.
Questions?