Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.

Published byBrian Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector."— Presentation transcript:

1 Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector and Duration of a Malware Infection

2 Agenda Introduction Problem Methodology Toolkit Demonstration Conclusion

3 Introduction John Ritchie –Doing IS since 1998 Pwned! –CISSP, GCFA Gold, GCIH, GREM –SIRT Lead

4 Oregon Enterprise Security Office Statewide Information Security Enterprise-wide Policies Enterprise Programs Statewide Incident Response IR Forensics Lab Agency Consultation

5 Problem #1: Malware With us to stay Evolving Extremely Sophisticated Data Theft

6 Problem #2: Risk Data Loss Exposure Window Liability

7 Problem #3: Expertise Malware Forensics IR Procedures Risk Quantification

8 Back In the Lab Agency Malware Cases Repetitive Processes Same Questions –How did this get here? –Where did it come from? –How long has it been here? –What data has been stolen?

9 Our Product Standard Methodology Toolkit Enables Methodology Audience –First Responders –Mid-level techs –Minimum or No forensic training

10 10 Methodology Mount Infected Volume RO Scan with 1+ A/V products Extract and Scan MBR Build Timeline of Activity Locate start point in Timeline Locate more Malware Analyze Malware, Timeline Draw Conclusions, Report

11 Toolkit Goals Easy to Use Supports Methodology Safe Consistent Results 11

12 Toolkit Details Linux Boot CD Software write-blocker Automates Methodology Steps Additional tools 12

13 Caveats Not For In-depth Forensics Not For Legal Evidence Not For Full Malware Analysis May not locate all Malware Cannot Prevent Foot Shooting 13

14 Setup & Prerequisites Two Machines –Infected Victim –Analysis Workstation USB drive, 1+G, No Autorun, U3 Malware Toolkit Boot CD Crossover Cable or Switch External Data Sources? 14

15 Analysis Workstation Windows, Mac or Linux? Fully-Patched Up-to-date AV product(s) –Quality Product –Different from Infected Victim Autorun disabled Dual-NIC (Hard-wire + wireless OK) 15

16 Network Setup 16

17 Process Overview Boot Victim from Malware CD –Warning: user error opportunity! Plug in USB Drive After Boot Network Between Victim and Analysis Machines –Static IP setup –Don’t use live network! 17

18 Process (cont.) Set Timezone if not Pacific Start Timeline Generation Share Victim drive Run A/V against shared drive Extract MBR and scan 18

19 Process (cont.) Identify and Document A/V findings –Use CAUTION! Analyze Timeline Reiterate 19

20 Timeline: What Is It? History of Activity –Sorted by Date –File System, Metadata (file contents), Registry Mod Times Data, Not Report Key to Answering 4 Questions Most Difficult part Requires Interpretation 20

21 Example Filesystem Times 21

22 File System Timestamps MACB (NTFS) –M: File Last Modified –A: File Last Accessed –C: MFT Entry Last Modified –B: File Created Only Latest M, A, C, B Date Preserved for each file M, A, C, B dates may all be separate 22

23 File Metadata Timestamps 23

24 File Metadata Timestamps Integrates dated information from files on system –Browsers, EV Logs, FW logs, LNK files, Flash, restore point, UA keys Excellent! 24

25 Registry Mod Timestamps 25

26 Registry Mod Timestamps Integrates registry value Mod times Useful? or Not? Tip: Registry Mod dates may get reset by patch activity 26

27 Forensics Tips Challenge your assumptions! Read entries in context. Isolated entries aren’t good evidence “A” last-access dates can be (mostly) ignored “M” dates are less reliable than “B” dates Metadata Entries Most Reliable 27

28 Safety First! Hazardous Material! Think before acting! Use non-native tools Do not double-click! Isolate yourself 28

29 Let’s Do It! Four Questions: –How did this get here? –Where did it come from? –How long has it been here? –What data has been stolen? 29

30 Did We Answer These? How did this get here? Where did it come from? How long has it been here? What data has been stolen? –Risk Evaluation Write Report 30

31 Program Successes Problem Statement –Malware, Risk, Inexperience Agency Adoption Other Improvements 31

32 Acknowledgements Shaun Gatherum, ESO Open Source Products –Kristinn Gudjonsson – log2timeline –Brian Carrier – The Sleuth Kit –e-fense – Helix –Harlan Carvey – regtime.pl –susestudio – build platform 32

33 Conclusion What next? –Changing Landscape –Toolkit Improvements Available at: http://oregon.gov/DAS/EISPD/ESO/ Malware_Toolkit.shtml Contact: john.ritchie@state.or.us 33

Download ppt "Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector."

Similar presentations

Working with Disks and Devices

Working with Disks and Devices
An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.

An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.
Rodney Buike IT Pro Advisor, Microsoft Canada

Rodney Buike IT Pro Advisor, Microsoft Canada
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
1 Voice Sensor Lie Detector Pre-Employment& Periodic Checks Global Security.

1 Voice Sensor Lie Detector Pre-Employment& Periodic Checks Global Security.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Trend Micro Round Table May 19, 2006. Agenda Introduction – why switch? Timeline for implementation Related policies Trend Micro product descriptions.

Trend Micro Round Table May 19, Agenda Introduction – why switch? Timeline for implementation Related policies Trend Micro product descriptions.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.

Similar presentations

Ads by Google