FORENSIC ANALYSIS Aleš Padrta

Similar documents
5 Steps to Advanced Threat Protection

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

The Value of Physical Memory for Incident Response

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

That Point of Sale is a PoS

Metasploit ing the target machine is a fascinating subject to all security professionals. The rich list of exploit codes and other handy modules of

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

CRYPTUS DIPLOMA IN IT SECURITY

How We're Getting Creamed

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

NAS SERVER FOR EXTERNAL HDD

Incident Response and Computer Forensics

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Incident Response. Six Best Practices for Managing Cyber Breaches.

Security A to Z the most important terms

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

A New Era. A New Edge. Phishing within your company

Windows Operating Systems. Basic Security

The Key to Secure Online Financial Transactions

Global Security Report 2011

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION

Using big data analytics to identify malicious content: a case study on spam s

Nemea: Searching for Botnet Footprints

How To Monitor Attackers On A Network On A Computer Or Network On An Uniden Computer (For Free) (For A Limited Time) (Czechian) (Cybercrime) (Uk) (Cek) (Kolomot

Check Point: Sandblast Zero-Day protection

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

USM IT Security Council Guide for Security Event Logging. Version 1.1

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

June 2014 WMLUG Meeting Kali Linux

Computer Security Literacy

egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game.

INDUSTRY OVERVIEW: FINANCIAL

WEB ATTACKS AND COUNTERMEASURES

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

Tracking Anti-Malware Protection 2015

Detailed Description about course module wise:

Smartphone Pentest Framework v0.1. User Guide

ANDRA ZAHARIA MARCOM MANAGER

Installation Guide. Research Computing Team V1.9 RESTRICTED

Common Cyber Threats. Common cyber threats include:

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Shellshock. Oz Elisyan & Maxim Zavodchik

System Security Policy Management: Advanced Audit Tasks

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

RMAR Technologies Pvt. Ltd.

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Full version is >>> HERE <<<

Remote Desktop access via Faculty Terminal Server Using Internet Explorer (versions 5.x-7.x)

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Management Website User Guide. SecureAnywhere AntiVirus SecureAnywhere Internet Security Plus SecureAnywhere Complete

Security Analytics The Beginning of the End(Point)

Cyber Security. Maintaining Your Identity on the Net

Lab 12: Mitigation and Deterrent Techniques - Anti-Forensic

Protecting Your Organisation from Targeted Cyber Intrusion

Build Your Own Security Lab

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

Penetration Testing with Kali Linux

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Alert (TA14-212A) Backoff Point-of-Sale Malware

Spy Eye and Carberp the new banker trojans offensive

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

VCL Access. VCL provides access to Linux and Windows 7 Virtual Machines. Users will only see those images that they are authorized to access.

Computer Security DD2395

Network and Host-based Vulnerability Assessment

Malware Analysis Quiz 6

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

The Peak of Chaos Shane D. Shook, PhD 10/31/2012

Current Threat Scenario and Recent Attack Trends

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

What IT Auditors Need to Know About Secure Shell. SSH Communications Security


Activity 1: Scanning with Windows Defender

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Under the Hood of the IBM Threat Protection System

Instructions for use the VPN at the Warsaw School of Economics

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Threat Events: Software Attacks (cont.)

IDS and Penetration Testing Lab ISA 674

Locking down a Hitachi ID Suite server

Honeypot that can bite: Reverse penetration

NATIONAL CYBER SECURITY AWARENESS MONTH

Transcription:

FORENSIC ANALYSIS Aleš Padrta

CESNET, CESNET-CERTS, FLAB CESNET Czech NREN operator CESNET-CERTS 2004 Established 2008 Accredited CSIRT FLAB Forensic LABoratory Established 6/2011 Support team for CESNET-CERTS Incident analysis Penetration testing Other services 2

Belgrade Security Workshop 2015 Part I. Brief Introduction 3

Why Forensic Analysis? Security Incident Handling Standard process Acquiring answers Detail (forensic) analysis 4

Cooperation Scheme Customer Problem (Incident) Description Evidence Metadata Questions Analyst Own / Outsourced Knowledge Answers 5

Typical Questions Is some backdoor left there? When was the server hacked? Were used antiforesics methods? Which USB devices were connected? When was the system on-line? Which applications were used? Which webpages were visited? What was the content of communication? Which files were modified? Who used the device? How to find all infected machines? What did the user do? Which wifi networks were used? Was some malware present? Which IP addresses were used by attacker? Which vulnerability has been exploited? Can you work faster? 6

Belgrade Security Workshop 2015 Part II. Practical Examples 7

Belgrade Security Workshop 2015 CASE 1 Attack Vector on Web server 8

Attack vector on Web server Metadata Web defacement Suspicious files on HDD Evidence Unauthorized application HDD image Questions How was the server infiltrated? Which files were created / modified? Did attacker created some backdoor? 9

Attack vector on Web server Think Over Phase What we have Files MAC times Deleted files (Delete = MFT change, data stay on disk) Time information Unauthorized application Hack time ( you have been hacked picture) Last reinstallation time, shutdown time, admin access,... How and when was installed What we can do Create timeline activity find attacker tools File analysis 10

Attack vector on Web server Analysis scheme 11

Attack vector on Web server Event timeline reconstruction T=0 Recon manager/.../howto.html T=+10:09 Passwd guessing (3 times) T=+14:24 Login to manager T=+14:30 Upload unauthorized app T=+14:43 Start using unauthorized app (remote shell) Download more tools Download & distribute you have been hacked webpage Access to files T=+20:15 Attempt to antiforensics 12

Attack vector on Web server Answers to questions How was the server infiltrated? Which files were created / modified? Default + weak password for admin users Acquired list of files Did attacker created some backdoor? Downloaded Tried to install Unsuccessfully 13

Belgrade Security Workshop 2015 CASE 2 Device User Identification 14

Device User Identification Metadata Evidence We found the device Want to handle it properly Nokia N810 + accessories Questions Who used the device? When was the device used for the last time? What kind of data was on the device? 15

Device User Identification Think Over Phase What we have Mobile device Maemo Linux (modified Debian) System partition Data partition Files MAC times, deleted files Communication device links to external sources? What we can do Get the system logs timestamps Get user data timestamps, metadata, contents 16

Device User Identification Creating images MicroSD card Internal memory Application rootsh, DropBear SSH client nad Server changes to system drive dd, transfer via SSH 3 drives Connect to PC + FTK Imager Internal: system (JFFS2), data (FAT32) Removable: microsd card (FAT32) Analysis scheme more extensive 17

Device User Identification Analysis Carved files 18

Device User Identification Analysis Swapfile 19

Device User Identification Analysis Data mining Boarding pass Doctoral thesis Web www.my-travel.diary Academic site 20

Device User Identification Answers to questions Who used the device? John Excavator (main user) Emily Gold-Digger (secondary user, GF of J.E.) When was the device used for the last time? 20.8.2014 14:13 UCT (data deletion) What kind of data was on the device? Freetime related (travelling, guns hobby) Academic work/study (doctoral thesis, research papers) 21

Belgrade Security Workshop 2015 CASE 3 Quick Malware Analysis 22

Quick Malware Analysis Metadata Evidence Scam e-mails delivered (1000s users) Malware in attachment Without AV detection Several E-mail attachments Questions How to identify infected machines? How to stop malware outbreak? How to remove the malware? 23

Quick Malware Analysis Think Over Phase What we have E-mail attachments several malware samples Little time (data for incident response) Typical malware Changes to filesystem (create/modify files) Changes to registry (MS Windows) Communication with dropzone / C&C What we can do Dynamic analysis run in monitored environment Analyse changes 24

Quick Malware Analysis Controlled environment Virtual machine preparation Run malware Process monitor Wireshark CaptureBat RegShot Collect data Analyse collected data Part of ProcDot output ProcDot (graphic visualization) 25

Quick Malware Analysis Analysis results 26

Quick Malware Analysis Answers to questions How to identify infected machines? Local signs: registry and filesystem changes Network signs: communication with list of IP addresses How to stop malware outbreak? Block creation of ate.exe (manual rule for AV/HIPS) How to remove the malware? Userspace clean profile Recommended reinstall (unknown orders from C&C) 27

Belgrade Security Workshop 2015 CASE 4 Malware Reverse Engineering 28

Malware Reverse Engineering Metadata Evidence Malicious PDF / page visit Locked computers Virtual machines images Memory image Captured communications Questions How does the malware infect the machine? Which changes were made on infected machine? Where are the C&C servers? What kind of data is collected and sent to C&C? 29

Malware Reverse Engineering Think Over Phase What we have Image of drive & memory Communication Webpages not accessible online What we can do Analyse attack vector Memory, drive, communication Reverse engineering of malware Detail insight IDA Pro, OllyDbg 30

Malware Reverse Engineering Attack vector Webpage Infect page Professional exploit pack Install botnet client Payload (Ransomware) Entry point Redirect C&C order Download & Run IP addresses change in time 31

Malware Reverse Engineering Exploit Pack analysis Based on Blackhole Three variants PDF with exploit Font installation Java vulnerability Files used by malware (for detail analysis) %userprofile%/local settings/temp/wlsidten.dll %allusersprofile%/app Data/netdislw.pad 32

Malware Reverse Engineering 33

Malware Reverse Engineering Malware overview 34

Malware Reverse Engineering How it works Communication thread Persistence thread Code injection to web browser Bypass AV/HIPS rules Write value to registry Each 500ms Hide Task Manager thread Minimize Task Manager window Each 500ms 35

Malware Reverse Engineering How it works Ransompage Borland Delphi screen StayOnTop Offline code pre-validion Show webcam picture or noise Show IP address geoinfo User profile oriented can be removed 36

Malware Reverse Engineering Answers to questions How does the malware infiltrate the machine? Which changes are made on infected machine? Install botnet client Download and run Ransomware Where are the C&C servers? One of the exploit PDF/font intallation/java List of IP addresses + domain name What kind of data is collected and sent to C&C? Volume ID, IP address, webcam picture, entered code 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information