ch08
Jef Roosens
parent
1ea7d28273
commit
f4f6fa119a
|
|
@ -0,0 +1,112 @@
|
|||
# Digital forensics
|
||||
|
||||
* branch of forensic science focused on recovery, investigation, analysis of
|
||||
material on digital devices
|
||||
* goal: uncover and preserve digital evidence
|
||||
* pillars
|
||||
* **identification**: recognize potential sources of evidence (computers,
|
||||
phones...)
|
||||
* **preservation**: ensure digital evidence is protected from tampering
|
||||
(e.g. taking disk images)
|
||||
* **analysis**: examine evidence to extract information
|
||||
* **documentation**: keep detailed records of all actions done during
|
||||
investigation
|
||||
* **presentation**: report findings in a clear way
|
||||
|
||||
## Types of devices
|
||||
|
||||
1. computers and laptops: disk image made, analyse for files, browser history,
|
||||
metadata...
|
||||
2. smartphones and tablets: call logs, messages, GPS, cloud data...
|
||||
3. network devices and servers: logged/real-time network traffic
|
||||
4. IoT devices: configuration, certificates, user interaction data
|
||||
5. wearables: user profile, GPS data
|
||||
6. drones: telemetry data, video/photos
|
||||
7. vehicles: onboard computers contain lots of information (engine control,
|
||||
navigation...)
|
||||
8. medical devices: patient health data, usage logs...
|
||||
9. CCTVs: video footage, access logs
|
||||
10. device memory (RAM): memory of running processes, network connections...
|
||||
11. gaming consoles: personal user info, communication (chat logs)
|
||||
12. cloud storage: files and data
|
||||
|
||||
## Cyber-incident response process
|
||||
|
||||
Secure. Contain. Protect.
|
||||
|
||||
1. preparation: identify risk, plan for threats, training
|
||||
2. incident identification
|
||||
* event monitoring, alerting, threat analysis
|
||||
* identify stage attackers are in
|
||||
3. containment / intelligence development
|
||||
4. eradication / remediation
|
||||
* harden entrypoints / patch
|
||||
* purge malicious files
|
||||
5. recovery: restore from backups; get back to safe state
|
||||
6. improvement
|
||||
* report on what happened
|
||||
* update training
|
||||
|
||||
### indicators of compromise
|
||||
|
||||
* evidence that points to breach
|
||||
* some examples
|
||||
1. unusual network traffic
|
||||
2. suspicious file activity: malware signatures, unauthorized file creation
|
||||
3. abnormal user behavior
|
||||
4. system performance anomalies
|
||||
5. log file entries: weird stuff in logs, basically all of this but in the
|
||||
logs
|
||||
6. malicious emails
|
||||
7. changes in configuration
|
||||
8. unauthorized access attempts
|
||||
9. indicators in memory and processes
|
||||
10. external device connections
|
||||
11. anomalies in data exfiltration
|
||||
* unusual outbound data transfers
|
||||
* use of non-standard ports or encrypted channels
|
||||
12. DNS anomalies
|
||||
* queries to known malicious domains
|
||||
* sudden spike
|
||||
* unusual traffic patterns
|
||||
|
||||
### Indicator sharing languages
|
||||
|
||||
* **[STIX](https://oasis-open.github.io/cti-documentation/)**: Structured
|
||||
threat Information Expression
|
||||
* **[MISP XML and JSON](https://github.com/MISP/MISP)**
|
||||
* transport protocols
|
||||
* Traffic Light Protocol (TLP)
|
||||
* TAXII: HTTPS exchange of STIX info
|
||||
* Yara and Yara-X: pattern matching tools for malware identification
|
||||
* MISP
|
||||
* open framework for sharing IoC information
|
||||
|
||||
### Indicator of attack
|
||||
|
||||
* newer cousin of IoC
|
||||
* proactive
|
||||
* tries to identify intent of attacker regardless of exploit used
|
||||
* nowadays lots of malware is signed with legit certificate
|
||||
* bought from lax CAs
|
||||
* by setting up fake company
|
||||
* stealing certificates
|
||||
* entropy as indicator: measure of randomness in system
|
||||
* malware packs, compresses, encrypts and obfuscates
|
||||
* this greatly increases entropy in file
|
||||
* entropy calculation can be used to detect malware
|
||||
* tools
|
||||
* pestudio: static file analysis tool
|
||||
* cuckoo sandbox: sandbox environment to analyse malware
|
||||
* redline: tool to analyse processes and file handles on host
|
||||
* Process Hacker: visual overview of running processes; inspect memory
|
||||
* ProcMon: record live process activity
|
||||
* ProcDot: graphical presentation of ProcMon data
|
||||
* Fiddler: acts like web proxy to analyse HTTP(S) traffic
|
||||
* forensic tools
|
||||
* Encase: tool to find case evidence on devices
|
||||
* FTK: forensic toolkit
|
||||
* X-Ways Forensics: can restore deleted files
|
||||
* Sleuth-Kit and Autopsy: disk image investigation
|
||||
* Volatility: toolkit for investigation RAM to extract data
|
||||
* create RAM dump
|
||||
Loading…
Reference in New Issue