Towards IoT Forensics:Headless and Remote
IT Sec-X 2016Dr. Mar�n Schmiedecker
Overview
What is IoT?
Headless & Remote
Outlook
2/30
What is IoT?
What is IoT?
3/30
What is IoT?
4/30
What is IoT?
5/30
What is IoT?
6/30
What is IoT?
Why is this a problem?• incident response• forensic image acquisi�on• plenty and plenty of systems• what can possibly go wrong?
7/30
IoT Forensics?
8/30
IoT Forensics?
9/30
IoT Forensics?
10/30
IoT Forensics?
11/30
IoT Forensics?
No, seriously!1. connected2. headless3. diverse4. small
12/30
What is IoT!
13/30
What is IoT!
14/30
What is IoT!
15/30
Headless & Remote
Headless & Remote
16/30
Headless & Remote
Things there are:• GRR Rapid Response (google)• osquery (facebook)• MIG (mozilla)• stenographer
17/30
Headless & Remote
GRR Rapid Response:• by Google• specifically built for incident response• supports Windows, OS X, Linux• open source since 2011• wri�en in Python• uses lightweight, local agents
18/30
Headless & Remote
Pros:• web GUI• scales very well• large setups with 100,000+ client machines• configura�on & roll-out easy• long-term supported project
19/30
Headless & Remote
Cons:• not strictly user-friendly (yet)• ini�al setup of server can be tedious• privacy & legal implica�ons?!
20/30
Headless & Remote
Deployment:• most logic is server-side• server generates executables with config• client simply runs it, done• easy with Puppet or others• offline clients run tasks asap when online
21/30
Headless & Remote
osquery:• by Facebook• built for monitoring systems & detect intrusions• SQL-like query language• supports Windows, Linux, OS X, FreeBSD• open source since 2014
22/30
Headless & Remote
Things like:• running processes• filesystem changes• log aggrega�on• scan for YARA or IOC• all in configurable intervals e.g., every 10 seconds
23/30
Headless & Remote
24/30
Headless & Remote
MIG:• by Mozilla• supports Windows, OS X, Linux• wri�en in Go• open-source since 2013
25/30
Headless & Remote
Things like:• running processes• network infos e.g., locate MAC• find specific USB devices which are connected• also runs on switches• PostgreSQL backend
26/30
Headless & Remote
stenographer:• by Google• writes 10g network packets to disc• no stream reassembly• packet sampling aka. few reads• MoonGen vs. stenographer, who will win?
27/30
Outlook
Outlook
28/30
Outlook
29/30
Ques�ons?
30/30