SlideShare ist ein Scribd-Unternehmen logo

Usage aspects techniques for enterprise forensics data analytics tools

Damir Delija
Damir Delija

Enacse v7 Entreprise sweep data access trough Infozoom

BildungTechnologie
1 von 25
Downloaden Sie, um offline zu lesen
Usage Aspects Techniques For Enterprise Forensics Data Analytics Tools Damir Delija damir.delija@insig2.eu "Nove sigurnosne ugroze i kritična nacionalna infrastruktura“ Zagreb, 12-13.09.2013
Idea • How to analyze data in internal database and data repositories of forensic tool trough external data analytics tools • Or generalization – access to hidden data in the forensic tools, especially enterprise class forensic tools – (this is not a new problem, something very similar happened in network management ages ago )
To explore situation • To try what can be collected from commercial forensic tools – Encase v7, ftk as forensic tools – Infozoom as data presentation and analyses tool • also some open source add-ons
Evolution Of Enterprise Forensics Capabilities disk images Forensic image of remote physical or logical disks, acquired and preserved on forensics workstation memory images Forensic image of whole RAM of remote node and memory images of processes, acquired and preserved on forensics workstation snapshot data Presenting current structure of users, processes, dll, open files, network information (ARP table, DNS table, routing table) • Each step brings huge amount of data and metadata into forensic tool • this data is not worthless even if it is not directly related to first line of examination
Forensic tools example: EnCase v7 • Encase v7 – store data in cahces files and evidence file • cache processed data – usually sqlite • evidence original data – Other forensic tools store data in db or various files (ftk, xways, ufed ...) – data is there, what you can see is what forensic tool allows you • or a huge effort to do a workaround to access data
Forensics Components Encase Enterprise approach WAN Main Office B Branch Office Target Node Target Node Target Node Main Office A Target Node Target Node Target Node SAFE Target Node Target Node Target Node SAFE Examiner Company Headquarters Examiner Target Node Target Node Target Node SAFE Target Node
Encase enterprise sweep • collect live snapshot data from all machines in enterprise – on each machine forensic agent (servlet) installed • data goes into sqlite db file on examiner machine • gui and interface in EnCase is harsh and unhelpful for data extraction / analyses • access to data from Encase – use data browser or write Enscript program
Simple Network Incident Scenario step tasks Snapshot 1 Forensics snapshot: of suspected machines involved in incident Analyeses internal 2 Snapshot: analyses in forensic tool, export data to other related tools for fine analyses, External analyses 3 Analyses: based on data properties (not intrinsically forensic values) with external tools, data is available to non-forensic tools (export, database connection etc). action or redoing snapshot 4 Analyses: results from step 3 goes back into forensic tool as a list of suspicious processes, further forensics analyses is carried out (hash analyses, entropy etc) •for any data consolidation it helps if there is additional view into data available •this view is problem dependent and very often fuzzy, requires data export into something else (excell very often) or sql database
Example •set of sweeps and related sqlite db file •Sweep.sqlite all sweep data in one file
Explanation of data • for each sweep (set of machines snapshots) – some data are undocumented – set of machines snapshots contains in various tables • machine data • users, groups • network data (ip, route, arp, mac ..) • dll and its attributes – instances of dll, ownership, size, hash, loads • processes and it attributes – instances of process, ownership, size, hash .. – no disk info (another method of access)
Data in sweep.sqlite- set of snapshots
Snapshot data • info about snapshots
Ip data • information about IP related data in snapshot • data in native format (hex etc)
Process data • all data about process as one big view • easy to spot irregularities Example svchost.exe – often infected trough dll injection
Example process svchost.exe on all machines in sweep db
EnCase v7 sweep view • trough EnCase program • trough case analyzer – browser / reporter • very rough interface • no global view
EnCase view of sweep data
EnCase snapshot & disk view
Encase data browser – Case analyzer Enscript
Case analyzer report view
Encase – in program view on data
INsig2 – Integrirana sigurnost Example of integration Other enterprise sec. tools ­ Automated Incident Response Suite automates the task of manually filtering through alert data via the IDS/SIM/CMS interface • selects alerts of interest • performs an investigation trough snapshot • same idea for data analyses as for plain Encase Enterprise • additional sources: log collector, SIEM, other forensic tools
Conclusion • useful but need a lot of expertise in all used tools to get data out and compare really important data • lack of standardization • xml useful • for a real time incidents to much work on tool instead on task • mobile devices puts a whole new dimension in this problem
Related tools & ideas • Nuix http://www.nuix.com/ • other data mining / data analyses tool • In last year a lot of vendor specific tools as part of packages are coming to market mostly for timeline analyses and connection analyses, but again lack flexibility
Questions ? • damir.delija@inisg2.eu

Empfohlen

Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
Damir Delija
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
Damir Delija
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
Damir Delija
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
Damir Delija
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
Sam Bowne
 

Empfohlen

Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
Damir Delija
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
Damir Delija
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
Damir Delija
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
Damir Delija
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
Sam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Sam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident Preparation
Sam Bowne
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
Sam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
Sam Bowne
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
Sam Bowne
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
Sam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
Sam Bowne
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1
Sam Bowne
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
Phil Huggins FBCS CITP
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
Sam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident Preparation
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 

Ähnlich wie Usage aspects techniques for enterprise forensics data analytics tools

computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
ijtsrd
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
 

Ähnlich wie Usage aspects techniques for enterprise forensics data analytics tools (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
How to teach your data scientist to leverage an analytics cluster with Presto...
How to teach your data scientist to leverage an analytics cluster with Presto...How to teach your data scientist to leverage an analytics cluster with Presto...
How to teach your data scientist to leverage an analytics cluster with Presto...
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
ICT741 Digital Forensics.docx
ICT741 Digital Forensics.docxICT741 Digital Forensics.docx
ICT741 Digital Forensics.docx
 
Wc4
Wc4Wc4
Wc4
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
 
Enchaning system effiency through process scanning
Enchaning system effiency through process scanningEnchaning system effiency through process scanning
Enchaning system effiency through process scanning
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
 
Fusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseFusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident response
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Data Analysis
Data AnalysisData Analysis
Data Analysis
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Mehr von Damir Delija

Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Damir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Damir Delija
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
Damir Delija
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
Damir Delija
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
Damir Delija
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavima
Damir Delija
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...
Damir Delija
 
Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...
Damir Delija
 
Mehanizmi razmjene poruka ostvareni preko RPCa
Mehanizmi razmjene poruka ostvareni preko RPCaMehanizmi razmjene poruka ostvareni preko RPCa
Mehanizmi razmjene poruka ostvareni preko RPCa
Damir Delija
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
Damir Delija
 

Mehr von Damir Delija (20)

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
 
Ibm aix wlm idea
Ibm aix wlm ideaIbm aix wlm idea
Ibm aix wlm idea
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload manager
 
2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza 2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavima
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...
 
Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...Communication network simulation on the unix system trough use of the remote ...
Communication network simulation on the unix system trough use of the remote ...
 
Mehanizmi razmjene poruka ostvareni preko RPCa
Mehanizmi razmjene poruka ostvareni preko RPCaMehanizmi razmjene poruka ostvareni preko RPCa
Mehanizmi razmjene poruka ostvareni preko RPCa
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
 

Kürzlich hochgeladen

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Kürzlich hochgeladen (20)

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 

Usage aspects techniques for enterprise forensics data analytics tools

  • 1. Usage Aspects Techniques For Enterprise Forensics Data Analytics Tools Damir Delija damir.delija@insig2.eu "Nove sigurnosne ugroze i kritična nacionalna infrastruktura“ Zagreb, 12-13.09.2013
  • 2. Idea • How to analyze data in internal database and data repositories of forensic tool trough external data analytics tools • Or generalization – access to hidden data in the forensic tools, especially enterprise class forensic tools – (this is not a new problem, something very similar happened in network management ages ago )
  • 3. To explore situation • To try what can be collected from commercial forensic tools – Encase v7, ftk as forensic tools – Infozoom as data presentation and analyses tool • also some open source add-ons
  • 4. Evolution Of Enterprise Forensics Capabilities disk images Forensic image of remote physical or logical disks, acquired and preserved on forensics workstation memory images Forensic image of whole RAM of remote node and memory images of processes, acquired and preserved on forensics workstation snapshot data Presenting current structure of users, processes, dll, open files, network information (ARP table, DNS table, routing table) • Each step brings huge amount of data and metadata into forensic tool • this data is not worthless even if it is not directly related to first line of examination
  • 5. Forensic tools example: EnCase v7 • Encase v7 – store data in cahces files and evidence file • cache processed data – usually sqlite • evidence original data – Other forensic tools store data in db or various files (ftk, xways, ufed ...) – data is there, what you can see is what forensic tool allows you • or a huge effort to do a workaround to access data
  • 6. Forensics Components Encase Enterprise approach WAN Main Office B Branch Office Target Node Target Node Target Node Main Office A Target Node Target Node Target Node SAFE Target Node Target Node Target Node SAFE Examiner Company Headquarters Examiner Target Node Target Node Target Node SAFE Target Node
  • 7. Encase enterprise sweep • collect live snapshot data from all machines in enterprise – on each machine forensic agent (servlet) installed • data goes into sqlite db file on examiner machine • gui and interface in EnCase is harsh and unhelpful for data extraction / analyses • access to data from Encase – use data browser or write Enscript program
  • 8. Simple Network Incident Scenario step tasks Snapshot 1 Forensics snapshot: of suspected machines involved in incident Analyeses internal 2 Snapshot: analyses in forensic tool, export data to other related tools for fine analyses, External analyses 3 Analyses: based on data properties (not intrinsically forensic values) with external tools, data is available to non-forensic tools (export, database connection etc). action or redoing snapshot 4 Analyses: results from step 3 goes back into forensic tool as a list of suspicious processes, further forensics analyses is carried out (hash analyses, entropy etc) •for any data consolidation it helps if there is additional view into data available •this view is problem dependent and very often fuzzy, requires data export into something else (excell very often) or sql database
  • 9. Example •set of sweeps and related sqlite db file •Sweep.sqlite all sweep data in one file
  • 10. Explanation of data • for each sweep (set of machines snapshots) – some data are undocumented – set of machines snapshots contains in various tables • machine data • users, groups • network data (ip, route, arp, mac ..) • dll and its attributes – instances of dll, ownership, size, hash, loads • processes and it attributes – instances of process, ownership, size, hash .. – no disk info (another method of access)
  • 11. Data in sweep.sqlite- set of snapshots
  • 12. Snapshot data • info about snapshots
  • 13. Ip data • information about IP related data in snapshot • data in native format (hex etc)
  • 14. Process data • all data about process as one big view • easy to spot irregularities Example svchost.exe – often infected trough dll injection
  • 15. Example process svchost.exe on all machines in sweep db
  • 16. EnCase v7 sweep view • trough EnCase program • trough case analyzer – browser / reporter • very rough interface • no global view
  • 17. EnCase view of sweep data
  • 18. EnCase snapshot & disk view
  • 19. Encase data browser – Case analyzer Enscript
  • 21. Encase – in program view on data
  • 22. INsig2 – Integrirana sigurnost Example of integration Other enterprise sec. tools ­ Automated Incident Response Suite automates the task of manually filtering through alert data via the IDS/SIM/CMS interface • selects alerts of interest • performs an investigation trough snapshot • same idea for data analyses as for plain Encase Enterprise • additional sources: log collector, SIEM, other forensic tools
  • 23. Conclusion • useful but need a lot of expertise in all used tools to get data out and compare really important data • lack of standardization • xml useful • for a real time incidents to much work on tool instead on task • mobile devices puts a whole new dimension in this problem
  • 24. Related tools & ideas • Nuix http://www.nuix.com/ • other data mining / data analyses tool • In last year a lot of vendor specific tools as part of packages are coming to market mostly for timeline analyses and connection analyses, but again lack flexibility