the Presentation

Download Report

Transcript the Presentation 

Forensics
More Than Just Hard Drives
Ron Bernier
Director of nDiscovery
Sage Data Security
whoami: Ron Bernier
• Director of nDiscovery & Chief Architect
• With Sage since 2006
• Employed in IT since 1988
• Info Security about 10-15 years
• Twitter: @nDiscoveRon
Sage Organizational Profile
• Founded in 2002
• Exclusively focused on information security /
cybersecurity services
• Based in Portland, Maine
• Host of annual Cybercrime Symposium in
Portsmouth, New Hampshire
Sage Professional Services
We Will Cover ...
We Will Cover ...
• Digital Forensics Evolution
• Overview
• How?
• Uses
• Network Forensics
• Overview
• How?
• What To Look For
• Pros and Cons of Both
Digital Forensics
• Historically, simply hard drive forensics
• Live Evidence now also prominent
• RAM
• What the PC is “thinking”
• Possible to find decryption keys
• Running processes
• Detect rogue processes quickly
• Network Connections
• Detect rogue network connections
• Command and Control (C2)
• Anything that disappears when device shut down
Live Evidence Collection – How?
• Trained Cyber “First Responders”
• Minimize Interaction
• Secure Collection
• Proper Documentation
• Secure Evidence/Chain of Custody
• Determine collection requirements ahead of time
Digital Evidence Uses
• Digital forensic analysis is reactive
• Post-incident/post-breach
• Performed by specially trained individuals
• Performed with sophisticated tools
• Digital evidence can be duplicated for analysis
whereas physical evidence cannot
Network Forensics
• Network forensics is proactive
• Pre-incident/pre-breach detection
• “Hunting” for compromise
• Performed by trained individuals
• Performed with sophisticated methodology
Network Forensics Evidence – How?
• Syslog
•
•
•
•
•
•
•
•
•
•
•
Firewall
Proxy
Routers/Switches
VCenter/VMWare
Authentication (RSA/VPN)
SAN/NAS
Wireless Access Points, etc
Web Server
Windows Servers
Database Servers
Usually with a SIEM or Third Party SIEM-As-a-Service
What To Look For
• Anything unusual – but, you must first know
normal
• Known bad actor addresses
• IP reputation
• GeoIP reputation
• Domain and HostName reputation
• Known bad actor URL syntax
• Known bad actor tendencies
• Domain Generation Algorithms (DGA)
• Domain Shadowing
Pros and Cons
Digital Forensics
Network Forensics
• Pros
• Pros
• What Data
• When Data Left
• How Compromised
• Cons
•
•
•
•
Reactive
Where Data Went
Evidence Integrity
Late Detection
•
•
•
•
•
•
Where Data Went
When Data Left
How Compromised
Proactive
Early Detection
Evidence Integrity
• Cons
• What Data
Questions?
• Ron Bernier
• [email protected]
• Twitter: @nDiscoveRon