1 Universität Mannheim Praktische Informatik I Examining and imaging data on running systems using LiveWire" Steven W. Wood Master of Science (Florida Institute of Technology) ALSTE Technologies GmbH Tel.: Im Riemen 9 Fax: Babenhausen
2 Overview ALSTE Technologies GmbH founded in 2000 Specialized in computer forensic services, hardware, software and training Contract services provided to: Prosecution Courts Tax Enforcement Agencies Police Other government agencies No Criminal Defense
3 Qualifications: US Army, Retired MCSE, MCSD, MCSA, MCP Certified Fraud Examiner AccessData Certified Examiner EnCase Certified Examiner Certified in Homeland Security - Level IV Certified Steganography Examiner Certified LiveWire Examiner Certified Computer Examiner Certified Information Forensics Investigator Bachelor of Science in Computer Systems Master of Science in Computer Information Systems Doctor of Science Candidate, University of Mannheim
4 Modern Crime Scene
5 Critical Challenges in Forensics Today Large user populations Geographically diverse enterprise Impact of the investigation on operations and productivity Suspect computers may contain encrypted files systems Suspect computers may contain booby traps and malicious software Suspect computers may be in a hostile environment The need to locate and acquire evidence anywhere at anytime has arrived We must narrow the investigative scope and drive the investigation
6 LiveWire Investigator Solution Rapid enterprise incident response and triage Enterprise-wide investigations Enterprise-wide network mapping Immediate recovery of live evidence Investigation of Windows and Linux hosts while in their operational state Examination of encrypted volumes Collection of running state information Capture of volatile memory Rapidly identify the presence of malicious software
7 LiveWire Investigator Pedigree LiveWire is the result of a 3 Year U.S. Air Force funded Research and Development program The requirement was to: Develop a forensically sound and stealthy investigative technology that can acquire, search and discover evidence within live running network devices The forensic soundness of LiveWire was verified at the U.S. Air Force Concept Validation Laboratory in Rome, NY
8 What LiveWire is not. Hacker tool We need the Administrator User Name and Password Everything we do is written to an extensive log file
9 Common tools used in Live Forensics Majority are open source Linux F.I.R.E. Helix Penguin Sleuth Kit SLAX Gentoo
10 Common tools used in Live Forensics Windows Fport Netstat Nbtstat Listdlls Pslist MD5sum
11 Issues with common tools Challenge to get all of the right tools together Difficulty keeping tools updated Increased workload to keep tools validated Using many tools to get the job done Some tools depend on other tools Must use in right order Are dependent on output from other tools Any errors cascade through the entire process An error in one tool can ruin the whole process spoiling all of the evidence gathered
12 Most glaring omission Open source tools tend to not provide one function that is critical to forensics. Logging!!! The investigator is forced to write down everything they do which opens them to challenges in court.
13 LiveWire Capabilities 1. Live Inquiry 2. Acquire State 3. Acquire Disk Data 4. Acquire Remote Disk Image 5. Live Malware Detection & Analysis 6. Network Mapping
14 Features - Live Inquiry What - Acquire general evidence from the running target host in a stealthy manner. This includes running process state, open handles, process/port associations, system logs, installed devices, mounted drives, network statistics and configuration, user accounts, logged in users. How - Stealthy remote triage of suspect computers to determine instantaneous activity.
15 Features - Acquire State What - Acquire volatile memory and/or registry snapshot of the target host. This could include recently used applications and documents, recently visited web sites, chat logs and s. The physical RAM captured may contain vital password and account information, remnants of visited web sites, recent messages, phone numbers, addresses and chat identities. How - Immediate examination of recent activities performed by the suspect. This volatile information would be lost if power were removed.
16 Features - Acquire Disk Data What - Acquire disk data from any mounted volumes (this would include encrypted volumes). Perform advanced search of the target host for keywords, phrases or regular expressions. In addition the search for one-way hash values provides the ability to locate known files based on their digital fingerprint. How - Enterprise wide search and acquisition of information pertinent to the investigation.
17 Features - Acquire Remote Disk Image What - Acquire a disk image of the suspect computer. The result is a live DD image of the target host. How - Acquisition of remote images provides the forensic investigator with the capability of performing a detailed post-mortem forensic analysis of the remote suspect data containers.
18 Features - Live Malware Detection & Analysis What - LiveWire includes Gargoyle Investigator Enterprise edition. When used in conjunction with LiveWire, Gargoyle Enterprise provides comprehensive Malware discovery in enterprise environments. How In incident response situations where malicious code is suspected like root kits, Trojans, key loggers, spy ware, denial of service etc. Also investigation of malicious insiders that are using unauthorized cyber weapons such as wired and wireless sniffers, password crackers, encryption, Stegonography, evidence erasers and countermeasures,
19 Features - Network Mapping What - LiveWire provides the ability to map the target network environment which includes not only workstation and servers but also includes printers, routers, switches, firewalls and other protective devices. How - Initial triage of the networking environment under investigation using LiveDiscover.
20 Usage Scenarios for LiveWire Consented Search - Authorized individual provides remote access to a potential cyber crime scene. This may include the victim of the crime or other authorized cooperating 3rd party to the investigation. Authorized Search - Organizational officials may provide authorization to conduct an enterprise wide investigation of a cyber crime scene. In these cases employees of the organization will have signed an agreement that is a condition to their employment. Legal Search - Legal authority has authorized the search and seizure of intelligence or evidence. Access is granted through a court order or search warrant that governs such collection of live digital evidence.
21 Traditional Forensic Response Location of the suspect host(s), may be complicated in large geographically diverse environments where many users are mobile Time to locate, obtain, shutdown suspect host computer and then image the installed physical hard drives may take hours or days If suspect machine is a server that many users depend upon imaging may be impractical or impossible Potentially critical state information loss will occur through the shutdown process Triage of even a small number of suspected hosts would cause significant down-time and thus economic loss
22 Case Study
23 Where was the evidence?
24 LiveWire Overview
25 LiveWire Software Suite LiveDiscover Performs network discovery Identifies hosts and IP addresses Identifies rouge devices Operating Systems Potential vulnerabilities Running services
26 LiveWire Software Suite LiveWire Investigator Performs live investigations - Acquires live evidence - Acquires system state - Acquires volatile memory - Acquires evidence from encrypted volumes - Acquires registry, system logs - Acquires user account information - Acquires network statistics and configuration - Searches and acquires files on demand - Acquires remote disk images
27 LiveWire Software Suite Gargoyle Investigator Enterprise Performs extensive Malware identification Trojans, Root kits, Key loggers, Spy ware Password Crackers, Encryption, Stegonography, Wired and Wireless Surveillance Tools, Evidence countermeasures and Denial of Service tools Peer to Peer communications Botnets
28 LiveDiscover With LiveDiscover the investigator can scan the local network for all addressable network devices. During the scan a significant amount of information can be gleaned about both the network in general and details for specific hosts.
29 Most Current Solutions Require an agent to be installed first Expensive Limited functionaility for less expensive Law Enforcement versions Must know which computer you are looking for and have physical access to it
30 How does LiveWire do it? First we need to map the network Done with LiveDiscover Identifies all attached devices Gives us all of the IP addresses Gives us all Operating System information Shows us open ports etc. Shows us running services Gives us a detailed report of all that was found
37 Using LiveWire
43 Next Step Make a snapshot of the memory Save it to the local computer Can examine the snapshot later with LiveWire or another tool Search contents of memory
45 Final Step Create image of hard drives Create image of CD/DVDs Create image of USB devices Copy the registry Browse the remote file system Copy remote files to the local system Examine DD image file with favorite forensic tool (UTK for example)
46 Gargoyle Investigator Sometimes we need to find out if a malicious software is running on a system Other times we are looking for a specific file or set of files without knowing where they are on the network In cases invloving child pornography we want to check a system against a know set of hash values
47 Why Gargoyle Investigator Accurate, fast detection of cyber weapons and malicious code usage is essential. Time to investigate needs to be reduced. Over 20 categories of malicious code and cyber weapons exist today, with offerings increasing daily. It is virtually impossible for individual investigators to keep up with the explosion of Malware. The newest Malware and cyber weapons are difficult to detect and identify. With 250,000+ files on a typical hard-drive, automated accurate up-to-date detection is essential.
48 Gargoyle cont. Law Enforcement faces the Trojan Defense, whereby criminals claim that their system was invaded by Trojans and Root kits that placed the damaging evidence there. LE requires technology that provides evidence to thwart that defense. Wetstone researches the newest malicous software and updates the hash values used. The investigator can add their own hash values.
49 Gargoyle Investigator Solution Gargoyle is a rapid search tool capable of locating evidence of resident cyber weapons and Malware. Root Kits Key Loggers Spy ware Password Crackers Stegonography Encryption Wired and Wireless Sniffers
50 Cont. Distributed Denial of Service Weapons Worm and Virus Building Kits Peer to Peer Communications Evidence Altering Tools Evidence Erasing Tools Credit Card Generators Hacking Tools Botnets
55 Closing LiveWire, LiveDiscover and Gargoyle are powerful tools in the forensic investigator s arsenal The training and tools are a great compliment to the AccessData Ultimate ToolKit LiveWire makes it easy to get the data and UTK makes it possible to examine it and report on it
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! Computer Hacking Forensic Investigator v8 Course Description: EC-Council releases the most advanced Computer
Digital Forensics: Tracking Cyber- Criminals and Hackers Welcome to the Battlefield Presented by Damian Donaldson CISSP CISM Know thy self, know thy enemy. A thousand battles, a thousand victories. - Sun
Computer Intrusion Forensics Literature Review Nathan Balon CIS 544 October 20, 2003 Title Computer Forensics: Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser Reviewed by Nathan Balon
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge skills in computer
Computer Network Security Minnesota State Community and Technical College Detroit Lakes Campus Overview Philosophy Note on 2 year Colleges Certifications Program Courses CCDC Program Numbers Faculty Future
Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student
Page: 1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 Page: 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge
Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro) NICE Conference 2014 CYBERSECURITY RESILIENCE A THREE TIERED SOLUTION NIST Framework for Improving Critical Infrastructure Cybersecurity
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
File Integrity Monitoring Challenges and Solutions Introduction (TOC page) A key component to any information security program is awareness of data breaches, and yet every day, hackers are using malware
Digital Forensics Fundamentals 1 P a g e Table of Contents 1. Overview of Digital Forensics... 3 2. Evaluation of Digital forensic tools... 5 2.1 Encase Digital forensic tool... 5 2.1.1 Benefits with Encase
Ethical Hacking Course Layout Introduction to Ethical Hacking o What is Information Security? o Problems faced by the Corporate World o Why Corporate needs Information Security? Who is a Hacker? o Type
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Fundamentals of a Windows Server Infrastructure Course 10967A; 5 Days, Instructor-led
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent
Honeynet2_bookTOC.fm Page vii Monday, May 3, 2004 12:00 PM Contents Preface Foreword xix xxvii P ART I THE HONEYNET 1 Chapter 1 The Beginning 3 The Honeynet Project 3 The Information Security Environment
AN INVESTIGATION INTO THE METHODS USED FOR TRAFFICKING OF CHILD ABUSE MATERIAL Dr. Allan Charles Watt, PhD, CFCE, CFE Macquarie University, Sydney, Australia Session ID: CLE W02 Session Classification:
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information
EnCase Endpoint Investigator Fundamentals Guidance Software 1 About Us Tony Balzanto Tony Balzanto is an instructor in the Orlando, FL office of Guidance Software s Professional Development and Training
Malware Analysis & its Application to Digital Gursimran Kaur, Bharti Nagpal Department of Computer Science & Engineering, Ambedkar Institute of Advanced Communication Technologies & Research, Geeta Colony,
Digital Forensics for IaaS Cloud Computing June 26, 2012 The views expressed in this presentation are mine alone. Reference to any specific products, process, or service do not necessarily constitute or
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
Scene of the Cybercrime Second Edition Michael Cross Chapter 1 Facing the Cybercrime Problem Head-On 1 Introduction 2 Defining Cybercrime 2 Understanding the Importance of Jurisdictional Issues 3 Quantifying
Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference
An overview of IT Security Forensics Manu Malek, Ph.D. Stevens Institute of Technology firstname.lastname@example.org www.cs.stevens.edu/~mmalek April 2008 IEEE Calif. 1 Outline Growing Threats/Attacks Need for Security
Cyber Security Training & Consulting Certified Digital COURSE OVERVIEW 5 Days 40 CPE Credits $3,000 Digital is the investigation and recovery of data contained in digital devices. This data is often the
CYBER SECURITY DIVISION 2014 PRINCIPAL INVESTIGATORS MEETING Evidentiary Integrity for Incident Response (EIIR) Exelis Inc., Information Systems December 2014 This material is based on research sponsored
Digital Forensics Dr. Vic Fay-Wolfe Department of Computer Science University of Rhode Island Topics What is Digital Forensics? Cases Digital Forensics Practice Algorithms and Computer Sci Digital Forensics
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
Ethical Hacking and Countermeasures Course Description: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
Steven Kaplan, CISSP, CISA Accuvant email@example.com Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station The Challenge: Commercial generation facilities must identify
ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to
Freeware Live Forensics tools evaluation and operation tips Ricci IEONG, Principal Consultant, ewalker Consulting Ltd Abstract Highlighted by a digital forensics investigation specialists from FBI in DFRWS
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
Cyber Security Response to Physical Security Breaches INTRODUCTION Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically
May 2006, IBSA Conference, Vienna The Role of Digital Forensics within a Corporate Organization Bruce J. Nikkel IT Investigation & Forensics Risk Control, UBS AG Presentation Summary An overview of digital
Case Study: Hiring a licensed Security Provider Company Profile McCann Investigations is a full service private investigation firm providing complete case solutions by employing cutting-edge computer forensics
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
10967 - Fundamentals of a Windows Server Infrastructure General Description Learn the fundamental knowledge and skills that you need to build a Windows Server infrastructure with Windows Server 2012. This
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
Check Point and Security Best Practices December 2013 Presented by David Rawle Housekeeping o Mobiles on Silent o No File Alarms planned o Fire exits are in front and behind and down the stairs o Downstairs
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
Montgomery College Germantown Campus NW246: Network Defense and Countermeasures Master Course Syllabus Course Description: The purpose of this course is to prepare students for Level One of the Security
VS-1160 Certified Cyber Security Analyst Certification Code VS-1160 Vskills certification for Cyber Security Analyst assesses the candidate as per the company s need for cyber security and forensics. The
1. Petar ČISAR, 2. Sanja Maravić ČISAR GENERAL DIRECTIONS OF DEVELOPMENT IN DIGITAL FORENSICS 1. TELEKOM SRBIJA, SUBOTICA, SERBIA 2. SUBOTICA TECH COLLEGE OF APPLIED SCIENCES, DEPARTMENT OF INFORMATICS,
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
Fundamentals of a Windows Server Infrastructure MOC 10967 Course Outline Module 1: Installing and Configuring Windows Server 2012 This module explains how the Windows Server 2012 editions, installation
#1 QUICK WIN- APPLICATION WHITELISTING SANS Critical Controls: #2: Inventory of Authorized and Unauthorized Software 1) Deploy application whitelisting technology that allows systems to run software only
elearning Course Outlines IT Networking and Security powered by Calibrate elearning Course Outline CompTIA A+ 801: Fundamentals of Computer Hardware/Software www.medallionlearning.com Fundamentals of Computer
Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4
Information Technologies and Fraud Florin Gogoasa CISA, CFE, CGEIT, CRISC ACFE Romania - Founder and Board member Managing Partner Blue Lab Consulting Information Technologies for Fraud investigation A.
S3 Control Confirma Technology Brief November 2008 Confirma Product Support 11040 Main St., Suite 100, Bellevue, WA 98004-6368, USA Toll free: 877.274.3045 Local: 425.691.1595 Email: firstname.lastname@example.org
Richard A. Peacock 410.346.7288 (Office) 443.398.5246 (Cell) email@example.com EnCase Certified Examiner (EnCE) Access Data Certified Examiner (ACE) Access Data Mobile Phone Certified Examiner
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
E-Commerce Security and Fraud Protection CHAPTER 9 LEARNING OBJECTIVES 1. Understand the importance and scope of security of information systems for EC. 2. Describe the major concepts and terminology of
Incident Response Six Best Practices for Managing Cyber Breaches Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software www.encase.com 2014 Guidance Software Inc., All Rights
Build Your Own Security Lab A Field Guide for Network Testing Michael Gregg WILEY Wiley Publishing, Inc. Contents Acknowledgments Introduction XXI xxiii Chapter 1 Hardware and Gear Why Build a Lab? Hackers
US-CERT Overview & Cyber Threats National Cyber Security Division United States Computer Emergency Readiness Team June 2006 Agenda Introduction to US-CERT Overview of why we depend on a secure cyberspace
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:firstname.lastname@example.org Outline of Information Security Introduction Impact of information Need
Thanks for showing interest in Vortex IIT Delhi & What After College (WAC) Ethical Hacking Workshop. Our aim is to address the students apprehensions and anxieties regarding their career prospects in Ethical
Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for
Ricoh Legal Live Data Acquisition: The New Default Standard for Capturing ESI? By David Greetham, National Director of Forensics, Legal Enterprise Solutions Live computer forensic imaging, which is performed