Computer Forensics: You can run but you can't hide

57 %
43 %
Information about Computer Forensics: You can run but you can't hide
Technology

Published on March 10, 2014

Author: ansanz

Source: slideshare.net

Description

A talk describing the field of computer forensics and its relation with incident response. Live forensics, timelines, registry, smartphones, cloud forensic, ethics, writing and defending reports are issues that will be covered.

Digital Forensics & IR You can run, but you can’t hide

Antonio Sanz IT Systems & Security Manager Expert witness @antoniosanzalc http://www.equipoazul.es

#SanPepe2014

WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?

There is a war out there

Cybercrime

Cyberespionage

Child pornography

Digital Forensics Incident Response

IR : Respond to an incident

Digital forensics : Post-mortem

Locard’s exchange principle

This is not a pipe

This is not a pipe

It’s all about evidence, stupid !

No fancy 3D tools like CSI

Techniques, tools and procedures

People could go to prison

Identification Adquisition Preservation Analysis Dissemination Digital forensics phases Legal stuff here and here Tech yeah!

WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?

Adquisition

Mobile devices

RAID, SAN, NAS, VM

Cloud storage

Game consoles, ebooks, DVR …

Gotta catch ‘em all

Should I pull the plug ?

Use a cond … A write blocker

Whole enchilada Get the whole enchilada

Preservation is king

31 Chain of custody

OBEY THE CHAIN

WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?

Bad guys want to hide … but they need to run

Remember Locard: Artifacts

Live forensics

Order of Volatility

Cold boot attacks

Preservation is king

Standard forensics

Recover deleted data Recover deleted data

How filesystems work

Good times, MAC times

Making history

Space / Time Analysis

Recycle bin are gold mines

47 Registry knows where your porn is

48 Don’t delete your history. Or do it, it doesn’t matter

Prefetch Dogs can’t prefetch

Where did you say you hide your crap?.

Event logs Finding things in logs is like…

You’ve got an email

Your Instant Messages belong to us

Every USB you plugged could be used against you

Too much … metadata

Share your downloads with us !

Smartphone / Tablets

Adquisition is complicated

Preservation is king

Yummy extra info … Yummy data breakfast

Virtual Machines

Take snapshots like there’s no tomorrow

Preservation is king

Network forensics

How I Xplico to you dude ?

Preservation is king

Cloud computing

There’s still traces There are always traces left

WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?

Cut to the chase

Know your trade

Know your enemy Know your enemy

Use more than one tool

Missing things tell us a lot

Put two and two together

Always learn new tricks

50% Knowledge 30% Technique 15% Instincts 5% Luck

Writing the report > Introducción > Resumen Ejecutivo > Entorno del Informe (personas, lugares, fechas) > Hechos probados iniciales (lo que sabemos) > Hechos técnicos demostrables (lo que encontramos) > Conclusiones > Anexo: Evidencias Write your report

Defending the report > Contrainforme pericial > Exposición del informe en el juicio > Validez del técnico > Validez de las herramientas > Preguntas de la otra parte > Mantener la calma, responder lo justo y bien pensado Defend your report

Ethics Ethics

WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?

Books

Blogs

Tools / LiveCDs

Certifications

Conclussions

We need DFIR Lots of it

Legal issues are critical

Many places to look Have to know where, how & why

You can run You can’t hide

If you’re guilty … we’ll catch you @antoniosanzalc http://www.equipoazul.es http://bit.ly/1h47zfF

Add a comment

Related presentations

Related pages

Digital forensics: you can run but you can't hide - dl.acm.org

Digital forensics: you can run but you can't ... By learning how to capture computer memory and ... Digital forensics: you can run but you can't hide: ...
Read more

Events - Carney Forensics: A digital forensics services ...

Carney Forensics helps attorneys, ... Computer & Technology Law Section: “You Can Run, ... “You Can Run, But You Can’t Hide: ...
Read more

You Can Run, but You Can't Hide (SSH and other open ...

SANS Internet Storm Center ... SANS ISC: You Can Run, but You Can't Hide ... Computer Forensics Software Security ...
Read more

How Computer Forensics Works 3 - HowStuffWorks

How Computer Forensics Works. ... you can hide files by taking advantage of this slack space. ... Normally you can't change this information, ...
Read more

InfoSec Handlers Diary Blog - You Can Run, but You Can't ...

SANS Internet Storm Center ... You Can Run, but You Can't Hide ... Computer Forensics Software Security ...
Read more

Digital Forensics For Unix - Deer Run Associates

Digital Forensics For Unix ... software you’re using can’t be trusted. Major Challenges. ... What Can You Do With These Images?
Read more

WINDOWS FORENSIC ANALYSIS | SANS | FOR408

... Windows Forensic Analysis ... Master Windows Forensics - "You can't ... or Linux as your core operating system that also can install and run ...
Read more

Computer Forensics Services - Forensicon, Inc.

Computer forensics services we provide have ... computer forensics can be ... Sometimes computer users will attempt to hide or conceal illicit use of ...
Read more