Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.

Slides:



Advertisements
Similar presentations
Working with Disks and Devices
Advertisements

An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.
Rodney Buike IT Pro Advisor, Microsoft Canada
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
1 Voice Sensor Lie Detector Pre-Employment& Periodic Checks Global Security.
Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Trend Micro Round Table May 19, Agenda Introduction – why switch? Timeline for implementation Related policies Trend Micro product descriptions.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Data Acquisition Chao-Hsien Chu, Ph.D.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
New Data Regulation Law 201 CMR TJX Video.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
IT GOVERNANCE AND CYBERCRIME Open Source Forensic Tools 19/04/10.
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
MAC Times Modification (mtime) When the file contents were CHANGED Change = addition or deletion or change of any single BYTE/Character… even if it doesn’t.
BACS 371 Computer Forensics
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
IT Essentials 1 v4.0 Chapters 4 & 5 JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
PC MANAGER MEETING January 23, Agenda  Next Meeting  Training  Windows Policy  Main Topic: Windows AV Service Review.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
3.05 Protect Your Computer and Information Unit 3 Internet Basics.
Microsoft.com/publicsector Records Management Microsoft Records Management for Government Agencies.
COEN 250 Computer Forensics Windows Life Analysis.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Data recovery in 15 minutes or less UsingKnoppix.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Delivering Assured Services John Weigelt National Technology Officer Microsoft Canada.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Cellular Records Review and Analysis Part 2: Verizon.
Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
Maintaining and Updating Windows Server 2008 Lesson 8.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Frequently Asked Questions Thin Clients, Linux, and LTSP
Critical Security Controls
Malware Reverse Engineering Process
Microsoft Virtual Academy
Malware Reverse Engineering Process
How to Install and Setup Quick Heal Antivirus Call
Cybersecurity Strategy
Testing mobile broadband devices
Implementing Client Security on Windows 2000 and Windows XP Level 150
Presentation transcript:

Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector and Duration of a Malware Infection

Agenda Introduction Problem Methodology Toolkit Demonstration Conclusion

Introduction John Ritchie –Doing IS since 1998 Pwned! –CISSP, GCFA Gold, GCIH, GREM –SIRT Lead

Oregon Enterprise Security Office Statewide Information Security Enterprise-wide Policies Enterprise Programs Statewide Incident Response IR Forensics Lab Agency Consultation

Problem #1: Malware With us to stay Evolving Extremely Sophisticated Data Theft

Problem #2: Risk Data Loss Exposure Window Liability

Problem #3: Expertise Malware Forensics IR Procedures Risk Quantification

Back In the Lab Agency Malware Cases Repetitive Processes Same Questions –How did this get here? –Where did it come from? –How long has it been here? –What data has been stolen?

Our Product Standard Methodology Toolkit Enables Methodology Audience –First Responders –Mid-level techs –Minimum or No forensic training

10 Methodology Mount Infected Volume RO Scan with 1+ A/V products Extract and Scan MBR Build Timeline of Activity Locate start point in Timeline Locate more Malware Analyze Malware, Timeline Draw Conclusions, Report

Toolkit Goals Easy to Use Supports Methodology Safe Consistent Results 11

Toolkit Details Linux Boot CD Software write-blocker Automates Methodology Steps Additional tools 12

Caveats Not For In-depth Forensics Not For Legal Evidence Not For Full Malware Analysis May not locate all Malware Cannot Prevent Foot Shooting 13

Setup & Prerequisites Two Machines –Infected Victim –Analysis Workstation USB drive, 1+G, No Autorun, U3 Malware Toolkit Boot CD Crossover Cable or Switch External Data Sources? 14

Analysis Workstation Windows, Mac or Linux? Fully-Patched Up-to-date AV product(s) –Quality Product –Different from Infected Victim Autorun disabled Dual-NIC (Hard-wire + wireless OK) 15

Network Setup 16

Process Overview Boot Victim from Malware CD –Warning: user error opportunity! Plug in USB Drive After Boot Network Between Victim and Analysis Machines –Static IP setup –Don’t use live network! 17

Process (cont.) Set Timezone if not Pacific Start Timeline Generation Share Victim drive Run A/V against shared drive Extract MBR and scan 18

Process (cont.) Identify and Document A/V findings –Use CAUTION! Analyze Timeline Reiterate 19

Timeline: What Is It? History of Activity –Sorted by Date –File System, Metadata (file contents), Registry Mod Times Data, Not Report Key to Answering 4 Questions Most Difficult part Requires Interpretation 20

Example Filesystem Times 21

File System Timestamps MACB (NTFS) –M: File Last Modified –A: File Last Accessed –C: MFT Entry Last Modified –B: File Created Only Latest M, A, C, B Date Preserved for each file M, A, C, B dates may all be separate 22

File Metadata Timestamps 23

File Metadata Timestamps Integrates dated information from files on system –Browsers, EV Logs, FW logs, LNK files, Flash, restore point, UA keys Excellent! 24

Registry Mod Timestamps 25

Registry Mod Timestamps Integrates registry value Mod times Useful? or Not? Tip: Registry Mod dates may get reset by patch activity 26

Forensics Tips Challenge your assumptions! Read entries in context. Isolated entries aren’t good evidence “A” last-access dates can be (mostly) ignored “M” dates are less reliable than “B” dates Metadata Entries Most Reliable 27

Safety First! Hazardous Material! Think before acting! Use non-native tools Do not double-click! Isolate yourself 28

Let’s Do It! Four Questions: –How did this get here? –Where did it come from? –How long has it been here? –What data has been stolen? 29

Did We Answer These? How did this get here? Where did it come from? How long has it been here? What data has been stolen? –Risk Evaluation Write Report 30

Program Successes Problem Statement –Malware, Risk, Inexperience Agency Adoption Other Improvements 31

Acknowledgements Shaun Gatherum, ESO Open Source Products –Kristinn Gudjonsson – log2timeline –Brian Carrier – The Sleuth Kit –e-fense – Helix –Harlan Carvey – regtime.pl –susestudio – build platform 32

Conclusion What next? –Changing Landscape –Toolkit Improvements Available at: Malware_Toolkit.shtml Contact: 33

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.