Incident Response for Cheapskates - BSidesTO 2013

Transcript

1. Incident Response Incident Response for Cheapskates for Cheapskates Lee Brotherston

   Lee Brotherston

2. Let's define an Let's define an Incident Incident

3. Where can we Where can we Improve? Improve?

4. Hijack Hijack Integrate with Integrate with Existing Existing processes processes

5. Roles & Roles & Responsibilities Responsibilities

6. Determine the Determine the Rules Rules of engagement of engagement

7. Leverage Leverage existing existing tools tools

8. Relationships and Relationships and Politics Politics

9. SIEM'less SIEM'less Intelligence Intelligence

10. Live system Live system Forensics Forensics

11. Sniper Sniper Forensics Forensics

12. Memory Analysis with Memory Analysis with Volatility Volatility

13. The Sleuth Kit + The Sleuth Kit + Autopsy Autopsy

14. But... Encase & hardware But... Encase & hardware Write Write

    Blocker? Blocker?
15. None
16. None

17. Oxford Semiconductor Oxford Semiconductor OXUF922 Bridge Chip OXUF922 Bridge Chip

    Oxford Semiconductor Oxford Semiconductor OXUF922 Bridge Chip OXUF922 Bridge Chip Agere Agere FW801 FW801 Agere Agere FW801 FW801 Flash Flash SST SST 39VF100 39VF100 Flash Flash SST SST 39VF100 39VF100 RAM RAM IDT IDT 71V016SA 71V016SA RAM RAM IDT IDT 71V016SA 71V016SA Firewire Firewire Firewire Firewire USB USB USB USB IDE IDE IDE IDE Write Blocker Diagram Write Blocker Diagram

18. Arm Arm Processor Processor OXUF922 Bridge Chip OXUF922 Bridge Chip

    DMA DMA 1394 / USB / 1394 / USB / UART / IDE / UART / IDE / Serial Serial Queue Queue Manager Manager RAM RAM Control Control

19. Hardware Write Blockers Hardware Write Blockers Run Software! Run Software!

    Attribution: Brad McMahon Attribution: Brad McMahon Attribution: Brad McMahon Attribution: Brad McMahon

20. Taking an image with Taking an image with dc3dd /

    dd dc3dd / dd

21. # parted /mnt/usbdsk/target0_img.dd # parted /mnt/usbdsk/target0_img.dd GNU Parted 2.3 GNU

    Parted 2.3 Using /mnt/usbdsk/target0_img.dd Using /mnt/usbdsk/target0_img.dd Welcome to GNU Parted! Type 'help' to view a list of commands. Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit (parted) unit Unit? [compact]? B Unit? [compact]? B (parted) print (parted) print Model: (file) Model: (file) Disk /mnt/usbdsk/target0_img.dd: 500107862016B Disk /mnt/usbdsk/target0_img.dd: 500107862016B Sector size (logical/physical): 512B/512B Sector size (logical/physical): 512B/512B Partition Table: msdos Partition Table: msdos Number Start End Size Type File Number Start End Size Type File 1 1048576B 210763775B 209715200B primary ntfs 1 1048576B 210763775B 209715200B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs 4 479341645312B 500103450111B 20761804800B primary diag 4 479341645312B 500103450111B 20761804800B primary diag (parted) quit (parted) quit # mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/ # mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/ # ls /mnt/image/ # ls /mnt/image/ pagefile.sys Program Files System Volume pagefile.sys Program Files System Volume Information Documents and Settings PerfLogs Information Documents and Settings PerfLogs Program Files (x86) Recovery Users Program Files (x86) Recovery Users ProgramData $Recycle.Bin ProgramData $Recycle.Bin Windows Windows

22. What about virtualised What about virtualised Environments? Environments?

23. Free Forensics Tools Free Forensics Tools vs Encase vs Encase

24. Data & File Analysis Data & File Analysis Tools Tools

25. For starters try For starters try C.A.IN.E C.A.IN.E (Linux LiveCD)

    (Linux LiveCD)

26. Remediation Remediation Cleanup/Shutdown/Prosecute Cleanup/Shutdown/Prosecute

27. Lessons Learned. Let's Lessons Learned. Let's Market! Market!

28. Thank you Thank you Any Questions? Any Questions? Lee Brotherston

    - Lee Brotherston - @leEb_public - @leEb_public - [email protected] [email protected] Lee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - [email protected] [email protected]

29. Some Things I Mentioned Some Things I Mentioned • Flow-tools:

    Flow-tools: http://www.splintered.net/sw/flow- http://www.splintered.net/sw/flow- tools/ tools/ • Sleuthkit & Autopsy: Sleuthkit & Autopsy: http://www.sleuthkit.org/ http://www.sleuthkit.org/ • Volatility: Volatility: https://www.volatilesystems.com/default https://www.volatilesystems.com/default /volatility /volatility • C.A.IN.E: C.A.IN.E: http://www.caine-live.net/ http://www.caine-live.net/ • Dc3dd: Dc3dd: http://sourceforge.net/projects/dc3dd/ http://sourceforge.net/projects/dc3dd/