Date post: | 09-Jul-2015 |
Category: |
Technology |
Upload: | lee-brotherston |
View: | 127 times |
Download: | 1 times |
Incident Response Incident Response for Cheapskatesfor Cheapskates
Lee BrotherstonLee Brotherston
Let's define anLet's define an
IncidentIncident
Where can we Where can we
Improve?Improve?
HijackHijack Integrate with Integrate with
ExistingExistingprocessesprocesses
Roles &Roles &ResponsibilitiesResponsibilities
Determine theDetermine the
RulesRulesof engagementof engagement
LeverageLeverage existing existing
toolstools
Relationships andRelationships and
PoliticsPolitics
SIEM'lessSIEM'lessIntelligenceIntelligence
Live systemLive systemForensicsForensics
SniperSniperForensicsForensics
Memory Analysis withMemory Analysis with
VolatilityVolatility
The Sleuth Kit +The Sleuth Kit +
AutopsyAutopsy
But... Encase & hardwareBut... Encase & hardware
WriteWriteBlocker?Blocker?
Oxford SemiconductorOxford Semiconductor
OXUF922 Bridge ChipOXUF922 Bridge Chip
Oxford SemiconductorOxford Semiconductor
OXUF922 Bridge ChipOXUF922 Bridge Chip
AgereAgereFW801FW801AgereAgereFW801FW801
FlashFlashSSTSST
39VF10039VF100
FlashFlashSSTSST
39VF10039VF100
RAMRAMIDTIDT
71V016SA71V016SA
RAMRAMIDTIDT
71V016SA71V016SA
FirewireFirewireFirewireFirewire
USBUSBUSBUSB IDEIDEIDEIDE
Write Blocker DiagramWrite Blocker Diagram
ArmArmProcessorProcessor
OXUF922 Bridge ChipOXUF922 Bridge Chip
DMADMA1394 / USB / 1394 / USB / UART / IDE / UART / IDE / SerialSerial
QueueQueueManagerManager
RAMRAM ControlControl
Hardware Write BlockersHardware Write Blockers
Run Software!Run Software!
Attribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahon
Taking an image withTaking an image with
dc3dd / dddc3dd / dd
# parted /mnt/usbdsk/target0_img.dd # parted /mnt/usbdsk/target0_img.dd GNU Parted 2.3GNU Parted 2.3Using /mnt/usbdsk/target0_img.ddUsing /mnt/usbdsk/target0_img.ddWelcome to GNU Parted! Type 'help' to view a list of commands.Welcome to GNU Parted! Type 'help' to view a list of commands.(parted) unit(parted) unitUnit? [compact]? B Unit? [compact]? B (parted) print (parted) print Model: (file)Model: (file)Disk /mnt/usbdsk/target0_img.dd: 500107862016BDisk /mnt/usbdsk/target0_img.dd: 500107862016BSector size (logical/physical): 512B/512BSector size (logical/physical): 512B/512BPartition Table: msdosPartition Table: msdos
Number Start End Size Type FileNumber Start End Size Type File 1 1048576B 210763775B 209715200B primary ntfs1 1048576B 210763775B 209715200B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs2 210763776B 107586662399B 107375898624B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs3 107586662400B 479341645311B 371754982912B primary ntfs 4 479341645312B 500103450111B 20761804800B primary diag4 479341645312B 500103450111B 20761804800B primary diag
(parted) quit(parted) quit
# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/
# ls /mnt/image/# ls /mnt/image/pagefile.sys Program Files System Volumepagefile.sys Program Files System VolumeInformation Documents and Settings PerfLogsInformation Documents and Settings PerfLogsProgram Files (x86) Recovery UsersProgram Files (x86) Recovery UsersProgramData $Recycle.BinProgramData $Recycle.BinWindowsWindows
What about virtualisedWhat about virtualised
Environments?Environments?
Free Forensics ToolsFree Forensics Tools
vs Encasevs Encase
Data & File AnalysisData & File Analysis
ToolsTools
For starters tryFor starters try
C.A.IN.EC.A.IN.E(Linux LiveCD)(Linux LiveCD)
RemediationRemediationCleanup/Shutdown/ProsecuteCleanup/Shutdown/Prosecute
Lessons Learned. Let'sLessons Learned. Let's
Market!Market!
Thank youThank youAny Questions?Any Questions?
Lee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - [email protected]@nerds.org.ukLee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - [email protected]@nerds.org.uk
Some Things I MentionedSome Things I Mentioned● Flow-tools: Flow-tools: http://www.splintered.net/sw/flow-http://www.splintered.net/sw/flow-tools/tools/
● Sleuthkit & Autopsy: Sleuthkit & Autopsy: http://www.sleuthkit.org/http://www.sleuthkit.org/
● Volatility: Volatility: https://www.volatilesystems.com/defaulthttps://www.volatilesystems.com/default/volatility/volatility
● C.A.IN.E:C.A.IN.E:
http://www.caine-live.net/http://www.caine-live.net/
● Dc3dd: Dc3dd: http://sourceforge.net/projects/dc3dd/http://sourceforge.net/projects/dc3dd/