Cyber Analysis Tools:
The State of the Union
August 26, 2014
Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time
Generously sponsored by:
Welcome
Conference Moderator
August 26, 2014
Start Time: 9am US Pacific /12 noon US Eastern/5pm London Time
Product Management, Threat Track Security
Agenda
• Speaker Introduction
• Russ McRee Director, Threat Intelligence & Engineering, Microsoft Online Services Security & Compliance
• Dipto Chakravarty EVP of Engineering and Products • Jason Sabin Vice President of Research and Development,
DigiCert
• Open Panel with Audience Q&A
A Toolsmith Take:
Knowledge Before Application
Director, Threat Intelligence and Engineering, Microsoft Online Security & Compliance @holisticinfosec
Forensics 101
STEP 1:Preparation Identifies the purpose and resources STEP 2: Acquisition Pinpoints the sources of evidence STEP 3: Analysis Extracts, collects and analyze evidence STEP 4: Reporting Documents and presents the evidenceCyber Forensics is the practice of analyzing digital information in form of evidence that is legally admissible. For example, Sony’s PlayStation network experienced a DDoS on August 25, 2014, and will undergo digital and cyber forensics to ensure the safety of its 53 million users’ personal information.
Cyber Forensics: Emails
• “Emails are like footprints in the snow.”
• Deleting an email doesn’t mean it erases the records. The work is similar to conventional detective work.
• MiTec Viewer
• Reads Outlook Express, Windows Live Mail with search and filtering capabilities
• PST-OST Viewer
Cyber Forensics: Data
• Data mirroring is key in cyber forensics. Exact copy is created without alteration.
• Live View
• Creates a VM of a physical disk. Allows us to view the data blocks with a user persona and full UX.
• DumpIt
Cyber Forensics: Disk
• Disk imaging in cyber forensics involves recovery of hidden and erased files. Exact copy is created without alteration.
• Recuva
– Free tool. Recovers deleted files from disks as well as SD cards, flash drives and cameras
• EDD
– For rapid IR, it is used as an encrypted disk detector. It checks for encrypted volumes, and tells which transient evidences need to be saved.
Cyber Forensics: Registry
• ‘R’ Forensics is about extracting contextual metadata
more than the data or the user.
• MuiCache
– Views the list in the MuiCache. (It is the Registry key that stores list of every application installed on the Windows o.s)
• USBDview
– Lists all USBs connected to the computer (now or earlier!)
Cyber Forensics: Network
• ‘N’ Forensics is about monitoring traffic, i.e, “data in motion” with the intent to collect evidence/samples.
• Wireshark
– Popular tool, with both hackers and law enforcements.
– Inspects frames captures packets displays user-data in its own GUI for analysis
• Network Miner
– Windows-specific tool to detect open ports of network hosts.
Cyber Forensics: Browser
• ‘B’ Forensics is all about scanning the session trail left behind in the browser cache. Note that almost every browser uses a cache to expedite internet surfing.
• MyLastSearch
– Scans the cache and browser history files looking for searches you’ve made with popular search engines and social networking sites.
• ChromeCacheView
– Reads the cache folder to display cached files, URLs, access
Cyber Forensics: Apps
• ‘A’ Forensics comprises of reading the app-specific log files without knowing the application password.
• SkypeLogView
– Displays details of incoming/outgoing calls, chat messages, and file transfers made by the Skype account.
• Y! Messenger Decoder
– Views the chat sessions, sms, private messages, including
emoticons without knowing the password. Similar tools exist for other browsers.
General Tools for Forensics Investigation
1. SANS SIFT2. Linux ‘dd’ 3. Xplico
4. The Sleuth Kit 5. Hex Editor Neo
6. Oxygen Forensic Suite
Linux ‘dd’ – Investigative Uses
• Available on almost all Linux o.s distributions
• Used for multifarious forensic tasks, including – Forensically wiping a drive
• dd if=/dev/zero of=/dev/drv1 bs=1024
• where if = input file, of = output file, bs = byte size
– Creating raw image of a drive
• dd if=/dev/drv1 of=/home/diptoc/newimage.dd bs=512 conv=noerror,sync
• where bs = byte size, conv = conversion option
• Very powerful tool – Handle with care.
Xplico – Investigative Uses
• Open source tool for network forensic analysis
• Extracts application data from the net traffic, e.g.
• Live capture of email stream from SMTP traffic
Summarizing Cyber Forensics
• Assess user activity w.r.t usage patterns• Analyze data remnants in transient states
• Audit logs to unravel stealth data that’s encrypted
• Assert usage of content and contextual artifacts
• Answer the hard stuff:
• “the known knowns” Facts
• “the known unknowns” Questions
• “the unknown knowns” Intuitions
Thank You!
Dipto Chakravarty On LIn, Tw: dipto On G+, Y!: diptoc
Types of Forensics
• Email Forensics
– PST-OST Viewer – MiTec Mail Viewer
• Data Forensics
– DumpIt – Live View
• Disk Forensics
– Recuva
– Encrypted Disk Detector
• Registry Forensics – Proc Monitor – Regshot – USBDeview – MuiCache View • Network Forensics – Wireshark – Network Miner • Internet Forensics – MyLastSearch – Password Fox – ChromeCache View – MozillaCookies View • Application Forensics – SkypeLogView – Y! Messenger Decoder http://resources.infosecinstitute.com/computer-forensic-tools-laymen/
Vice President of Research & Development, DigiCert
Jason Sabin
SSL: What can we do better?
• 51% of enterprises do not knowall of the keys and certs on their network*.
• About 2 in 3 enterprises still use ciphers vulnerable to BEAST. • Still seeing 1024-bit key sizes or
lower.
• Only 6% of SSL certificates on the web use SHA-2.
• Heartbleed in hardware and statically compiled applications.
Improper implementation
Some high profile stories:
– Heartbleed
– Goto Fail
– BEAST, CRIME, BREACH, etc.
– Weak cipher suites
– Weak algorithms
Is your network secure?
• What do most potential exploits have in common?
SSL “best practices”
• Always-On SSL
• Secure Cookies
• HSTS (Http Strict Transport Security)
• Disable Weak Cipher Suites
• Secure Renegotiation
• Disable TLS Compression
Thank You!
SSL Analysis Tools
https://www.ssllabs.com https://www.digicert.com/cert-inspector.htm http://www.whynopadlock.com/Jason Sabin
Vice President of Research & Development
•
Russ McRee
Director, Threat Intelligence and Engineering, Microsoft Online Security & Compliance
•
Dipto Chakravarty
EVP of Engineering and Products, Threat Track Security
•
Jason Sabin
Vice President of Research & Development, DigiCert
#ISSAWebConf
Join us on Thursday, Sept. 11, 2014
12:00 PM - 2:00 PM EDT
ISSA Annual State of the Association Discussion ISSA 2014 Annual Members’ Meeting Webinar
Space is limited.
Reserve your Webinar seat now at:
Thank you
Citrix for donating the Webcast service
#ISSAWebConf
•
Within
24 hours of the conclusion
of this webcast, you
will receive a link via email to a post Web Conference
quiz.
•
After the successful completion of the quiz you will be
given an opportunity to
a certificate of
attendance to use for the submission of CPE credits.
•
On-Demand Viewers Quiz Link information:
http://www.surveygizmo.com/s3/1778276/ISSA-Web-Conference-Aug-2014-Cyber-Analysis-Tools-The-State-of-the-Union
#ISSAWebConf
