net-sec-samenvatting/08_digital_forensics.md

Digital forensics

• branch of forensic science focused on recovery, investigation, analysis of material on digital devices
• goal: uncover and preserve digital evidence
• pillars
  • identification: recognize potential sources of evidence (computers, phones...)
  • preservation: ensure digital evidence is protected from tampering (e.g. taking disk images)
  • analysis: examine evidence to extract information
  • documentation: keep detailed records of all actions done during investigation
  • presentation: report findings in a clear way

Types of devices

1. computers and laptops: disk image made, analyse for files, browser history, metadata...
2. smartphones and tablets: call logs, messages, GPS, cloud data...
3. network devices and servers: logged/real-time network traffic
4. IoT devices: configuration, certificates, user interaction data
5. wearables: user profile, GPS data
6. drones: telemetry data, video/photos
7. vehicles: onboard computers contain lots of information (engine control, navigation...)
8. medical devices: patient health data, usage logs...
9. CCTVs: video footage, access logs
10. device memory (RAM): memory of running processes, network connections...
11. gaming consoles: personal user info, communication (chat logs)
12. cloud storage: files and data

Cyber-incident response process

Secure. Contain. Protect.

1. preparation: identify risk, plan for threats, training
2. incident identification
   • event monitoring, alerting, threat analysis
   • identify stage attackers are in
3. containment / intelligence development
4. eradication / remediation
   • harden entrypoints / patch
   • purge malicious files
5. recovery: restore from backups; get back to safe state
6. improvement
   • report on what happened
   • update training

indicators of compromise

• evidence that points to breach
• some examples
  1. unusual network traffic
  2. suspicious file activity: malware signatures, unauthorized file creation
  3. abnormal user behavior
  4. system performance anomalies
  5. log file entries: weird stuff in logs, basically all of this but in the logs
  6. malicious emails
  7. changes in configuration
  8. unauthorized access attempts
  9. indicators in memory and processes
  10. external device connections
  11. anomalies in data exfiltration
      • unusual outbound data transfers
      • use of non-standard ports or encrypted channels
  12. DNS anomalies
      • queries to known malicious domains
      • sudden spike
      • unusual traffic patterns

Indicator sharing languages

• STIX: Structured threat Information Expression
• MISP XML and JSON
• transport protocols
  • Traffic Light Protocol (TLP)
  • TAXII: HTTPS exchange of STIX info
• Yara and Yara-X: pattern matching tools for malware identification
• MISP
  • open framework for sharing IoC information

Indicator of attack

• newer cousin of IoC
• proactive
• tries to identify intent of attacker regardless of exploit used
• nowadays lots of malware is signed with legit certificate
  • bought from lax CAs
  • by setting up fake company
  • stealing certificates
• entropy as indicator: measure of randomness in system
  • malware packs, compresses, encrypts and obfuscates
  • this greatly increases entropy in file
  • entropy calculation can be used to detect malware
• tools
  • pestudio: static file analysis tool
  • cuckoo sandbox: sandbox environment to analyse malware
  • redline: tool to analyse processes and file handles on host
  • Process Hacker: visual overview of running processes; inspect memory
  • ProcMon: record live process activity
  • ProcDot: graphical presentation of ProcMon data
  • Fiddler: acts like web proxy to analyse HTTP(S) traffic
• forensic tools
  • Encase: tool to find case evidence on devices
  • FTK: forensic toolkit
  • X-Ways Forensics: can restore deleted files
  • Sleuth-Kit and Autopsy: disk image investigation
  • Volatility: toolkit for investigation RAM to extract data
    • create RAM dump