Beruflich Dokumente
Kultur Dokumente
1 © Zacco 2016
WHO AM I
NIKLAS.ANDERSSON@ZACCO.COM
• Started in IT 1994 and moved into IT Security in 1998 – never looked
back
• Joined Zacco 2016 (previously Coresec/AddPro)
• Experience from security infrastructure like firewalls, IPS/IDP, encryption
and Windows/Linux
• Certifications
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Reverse Engineering Malware (GREM)
2 © Zacco 2016
ZACCO
EUROPE
Copenhagen Stockholm
Aarhus Gothenburg
Lyngby Anderstorp
Esbjerg Helsingborg
Munich Linköping
Bremen Luleå
Oslo Lund
Ålesund Malmö
Sarpsborg Norrköping
Stavanger Skellefteå
Kjeller Västervik
Uppsala
3 © Zacco 2016
ZACCO
OUR SERVICES
4 © Zacco 2016
ZACCO
INFORMATION AND IT SECURITY
5 © Zacco 2016
AGENDA
DIRF
• Digital Forensics
• Collect and preserve digital evidence
• Analyze following a proven methodologies
• Report – Timeline events and activity
• Require deep technical knowledge
• Incident Response
• Don’t panic
• Have a plan
• Live acquisition of evidence
6 © Zacco 2016
DIGITAL FORENSICS
SHORT VERSION
• Digital Forensics is equal to Computer Forensics and the term was
popularized in 1980 when personal computers arrived… …and soon
enough was used to commit crimes
7 © Zacco 2016
DIGITAL FORENSICS
FOLLOW PROVEN METHODOLOGIES
• Collect evidence
• Preserve evidence
• Analysis – Forensics tools and knownledge
• Create timeline of the activity
• Present facts, not speculation
• Question the evidence and verify
• Report (important)
• List and document evidence for verification purpose
8 © Zacco 2016
DIGITAL FORENSICS
TYPES OF INVESTIGATIONS
• Intrusions (External/internal)
• Malware infection
• Internal misuse of IT assets
• Employee stealing/trading company information
• Troubleshooting
9 © Zacco 2016
DIGITAL FORENSICS
SOURCES
Many different types of devices and applications
• Operating Systems
• Memory Captures/Snapshot
• Hard drive/Clone/Memory card/USB Drives
• Network captures
• Applications
• Databases
• Log sources
10 © Zacco 2016
DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
Artifacts found in a memory dump/hibernation file
11 © Zacco 2016
DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
Artifacts found in a memory dump/hibernation file
12 © Zacco 2016
DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
Aditional artifacts found in harddrive and VM Clone
• Hibernation files
• All files on disk
• Deleted files
• Databases
• Active Directory
• Event Logs/Application logs
• Application crashdump(s)
• Volume Shadow Snapshot
• - MFT, Registry Hive, Logs, Hibernation files
13 © Zacco 2016
DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
14 © Zacco 2016
DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
• Created accounts
• Login to Webmail/VPN
• Collected information
• Lateral movement
• Network actitvity
• Directory Browsing
• Opening of documents and pictures
15 © Zacco 2016
DIGITAL FORENSICS
POPULAR ATTACK VECTOR
• Exploiting bugs in Operating Systems, Services or Application
• Misconfigurations
• Drive-By downloads
• Phising Email
• Key factory in many case, very helpful end users.
• Execute Binary (.exe)
• Execute scripts (PowerShell, JavaScript, Visual Basic...)
16 © Zacco 2016
DIGITAL FORENSICS
POPULAR ATTACKER TOOLS
• Metasploit
• SqlMap
• Google
• PowerShell frameworks.
• PowerSploit
• Empire
• PSAttack
• Mimikatz (dump passwords)
• Nirsoft - Web Browser Password Dumper
17 © Zacco 2016
DIGITAL FORENSICS
LATERAL MOVEMENT
What this means
• The attacker have compromised a computer behind the perimeter defense
• Additional tools could be download
• Psexec (SysInternal)
• ”net use” (built in)
• PowerShell (very powerful)
• Remote Desktop
• VBS Script
• Schedule Task
• Mimikatz
This normaly do not trigger any alerts on the Endpoint or gateway security
products.
18 © Zacco 2016
DIGITAL FORENSICS
INCIDENT RESPONSE
Be prepared and have a plan
• Most important, don’t panic
• Second, don’t panic
• Know what to do and why before doing anything. (important)
• Write down things of importance
• What do we know
• When did we discover the incident
• Actions taken so far
• Users and accounts involved
• List possible resources involved
• Resource owners and contact information
19 © Zacco 2016
DIGITAL FORENSICS
INCIDENT RESPONSE
Collect evidence
20 © Zacco 2016
DIGITAL FORENSICS
INCIDENT RESPONSE
Collect evidence
• VPN logs
• Webmail logs
• Active Directory
• Hard drives
21 © Zacco 2016
DIGITAL FORENSICS
INCIDENT RESPONSE
Analyze the collected evidence
22 © Zacco 2016
DIGITAL FORENSICS
INCIDENT RESPONSE
Analyze the collected evidence
Steps depends on the known scope of the investigation and may change during the
investigation
23 © Zacco 2016
DIGITAL FORENSICS
TAKEAWAYS
• Removing malware or block traffic is NOT enought.
• Additional malware or persistence may still exist.
• Reinstalling infected or compromized systems will destroy
evidence
• Data exfiltration are hidden in normal traffic.
• Attackers lateral movements might not be detected as
suspicious
• New accounts might have been created
• If we don’t know the root cause of the incident how can we fix
it?
24 © Zacco 2016
DIGITAL FORENSICS
TAKEAWAYS
• Learn the weak spots and prioritize based on risk
• Change log settings to save further back in time
• Save all logs in a safe place as long as you can.
• Use 2FA for VPN and Webmail and other external access
• Log all traffic in and out of the company/organisation
• Update and configure PowerShell
• Volume Shadow Snapshot built in. (do not turn of)
• Limit the use of administative privileges
25 © Zacco 2016
DIGITAL FORENSICS
MOST IMPORTANT
26 © Zacco 2016