1

Modern IncidentResponse

IT-Security Stammtisch, 10.5.2017

2

$whoamiMartin Schmiedecker, aka researcher at SBA Researchdigital forensics!online privacy \& network securityI love memes!

@Fr333k

3

Why u here?

4

Not about loggingeasy to doreally good to have itSplunk ($), Microsoft Events, ...Graylog, ELK stack, ...

5

AgendaPCMobileNetwork2+ systems

6

IntrusionsCompanies fail to detect intrusions:

SonyHacking TeamRSAGoogle, Operation Aurora(Stuxnet)

7

Incident response?react to security-related eventscontainment, preventionforensics

8

9

Howtoget RAM!inspect system?install network tab?get hard drive image

10

11

12

Why RAM?all the good stu� is in thereprocesses, network connections, ...non-reproducible!volatility is great!

13

How?Windows: FTK Imager, WinPmem, Deft Linux, ...Linux: LiMEMac OS: OSXPmem

all above: Rekall (GRR)

Android: LiME (adb)

iOS: WTF?

14

15

Reality kicks in!1TB of RAM?entire networks? VLANs?10G network links?terabytes of storage?

16

17

Inspect the machineonce you have RAMrun e.g. Sysinternals Toolscapture tra�c...

18

File systemscommercial worldtimelining is key!Supertimelines�walk, part of Sleuth Kit

19

bulk_extractortool(-set) by Simson Gar�nkel et al.highly parallelized, very powerful!open-sourcecan �nd otherwise overlooked data

20

Used techniquesbulk analysisuses no �le system metadatasimilar to �le carvingfor processing: pages of size N

21

How?analyzes data using ''scanners``scanners run sequentiallyextracts ''features``, stores in �lesrecursive scanners: do, rinse, repeate

22

ScannersAES keysemail adressescreditcard informationGPS, wordlist, and many moreimplemented in "basic" scanners

23

Recursive!most notably: compression \& encodingse.g. .docx, .pptx are zipped XMLalso PDF, base64, ...optimistic decoding usedthen: feed back in bu�er to be analyzed

24

25

Did I mention?very powerful!!1used e.g. for extracting tcp�owsreally made for bulk analysiswill pin ALL CPU cores availablethe more, the merrier

26

networkhard to hide (IDS somewhat work?)plenty of plaintextacquisition is often easyplenty of tools

27

28

29

30

Challenges:10G+ networks?tap location?mirror/monitoring port available?�bre tapping?production networks?cooperation is key!

31

32

33

10Gstenographer, by Googlewrites 10G network packets to discno stream reassemblypacket sampling aka. few reads

34

MobileUFED Physical AnalyzerKatana LanternOxygenXRYNuixBlackbag Tech

35

Agent-based solutionsGRR Rapid ResponseosqueryMozilla Investigator (MIG)slightly di�erent regarding capabilities, usage, ...

36

GRRby Googlespeci�cally built for incident responsesupports Windows, Mac, Linuxopen source since 2011written in Pythonuses lightweight, local agents

37

GRR deploymentmost logic is server-sideserver generates executables with con�gclient simply runs it, doneeasy with Puppet or otherso�ine clients run tasks asap when online

38

GRR prosweb GUIscales very wellallegedly large setups with 100,000+ client machinescon�guration \& roll-out easylong-term supported project

39

GRR consnot strictly user-friendly (yet)initial setup of server can be tediousprivacy \& legal implications?!

40

GRR RAMremote acquisition of RAMuse volatility on live RAM= really, really cool!

41

GRR �owswork unit in GRR, asynchronousused for client data acquisitioncan use e.g. OS API, or Sleuth Kit for �le accesswritten in Python, stored on serverbaselining for historgrams

42

GRR huntingrun �ows on entire �eetalso on o�ine machines, once backor any subset e.g., all machines running Windowsscaleable!clients check for new �ows every 10 mins

43

GRR performanceclient will kill itself if too resource-hungryheart beatmemory limit (500mb)cpu limit (3 minutes)

44

osqueryby Facebookbuilt for monitoring systems \& detect intrusionsSQL-like query languagesupports Windows, Linux, OS X, FreeBSDopen source since 2014

45

osquery can watchrunning processes�lesystem changeslog aggregationscan for YARA or IOCall in con�gurable intervals e.g., every 10 seconds

46

MIGby Mozillasupports Windows, OS X, Linuxwritten in Goopen-source since 2013

47

Do you do Incident Response?

48

Thx! Questions?

49

Linksthisweekin4n6peekatorrentICDF2C, CfP 15th of May

50