2. About Me
Marc Hullegie
Marc Hullegie is founder and CEO of Vest Information Security and is
widely experienced in the information security business in all types of
areas: Security Architecture and Infrastructure, Security Audits and
Testing, Security Management, Awareness and Digital Forensics. He
presents lectures at (international) conferences and is looking forward
to share experiences at the OWASP Benelux days 2012 with you.
Kees Mastwijk
Kees Mastwijk is a security consultant working with Vest, acting as
Security Auditor, Awareness Program leader and security Manager. He
has a long (and ongoing) experience history in Digital Forensic
Research.
4. INVESTIGATION BASICS
Why will people commit fraud / crime
/’misbehavior’ / ….
Fraud Triangle:
• Opportunity – One has to be able to commit
fraud
• Motive – There is a ‘drive’ to commit fraud
• Rationalization – Actions will be justified
5. INVESTIGATION BASICS
Understanding of the Fraud Triangle can be
helpful for:
• Formulating the investigation charter
• Creating scenarios
• Applicable for fraud & forensic investigations
and securitytesting
6. TYPES OF DIGITAL INVESTIGATIONS
(due to the nature of the fraud / crime ..)
• Against computersystems, e.g hacking, spam,
• Where computersystems are used to commit
fraud, stalking, harrassment
8. KNOW YOUR STUFF !
REQUIRED SKILLS AND KNOWLEDGE
- Technical skills
Understand what kind of evidence you are looking for,
&
- Investigative skills
Being able to understand the value of the evidence in
the case and translate highly technical findings to easy
to understand report, being able to spot abnormalities
- While maintaining the ‘chain of custody’
9. BASICS
Basic steps in a digital forensic investigation
• Preparation
• Acquisition of Evidence
• Duplication
• Extraction
• Analysis
• Reporting
10. PREPARATION
• Investigation Charter
• Determine the scope and preconditions of the investigation
• Determine potential locations of relevant evidence by
means of type of investigation:
- Network
- Data carriers like hard disk drives,
smartphones, USB drives etc
- Memory
- Etc.. Etc..
• Expectation Management / (Communication)
• Create investigation Log (and maintain during the proces)
11. ACQUISITION & PRESERVATION
• NEVER conduct an investigation on original material
• Acquire potential evidence following forensically sound
procedures, tools and hardware
• Use write-protected hardware and software that
ensures the integrity of the copy
• Duplicate the acquired evidence files to a secured
back-up location
• Note System config settings, especially time related
12. EXTRACTION
• Compound files (Zip/rar/certain e-mail
archives) may need to be extracted in order to
be able to search the files.
• Transform data into usable investigation
objects
• Disk images contain potential ‘hidden’
evidence in file slack, unallocated clusters etc
15. ANALYSIS
• Select tooling to conduct analysis
• Many tools available, specific for each type of
investigation
• Cross check and verify your findings. Do not rely
on the results of one tool
• Keep in mind the questions to be answered in the
investigation or you will get lost
16. REPORTING
• Translate findings into a readable report
• Be transparent in describing your investigative
process
• Answer the ‘W’ and ‘H’ questions: Who did
What, When, Where, When, Why and How
• Do not jump to conclusions! Be aware of
tunnel visioning
17. CHALLENGES IN DIGITAL FORENSICS
• BIG data changes the way investigations will be conducted
• Diversity of equipment used in today’s communications
• Solid State Disks (SSD) reduces the likelihood of retrieving
good evidence (if deleted previously)
• Unclear where your data is: e.g. Cloud Computing changes
potential source locations
• Virtual Desktop Infrastructures
• Compliancy rules limiting access to public records
18. TRENDS IN DIGITAL FORENSICS – TRIAGE
• Screening of potential evidence instead of
creating a full disk image first, to efficiently
and cost effective conduct digital
investigations. Average storage in a system has
increased substantially.
19. TRENDS IN DIGITAL FORENSICS – TRIAGE - CONT
Previewing and searching potential evidence
saves a lot of time and storage.
If a triaged systems contain sources of evidence,
create a full disk image.
20. TRENDS IN DIGITAL FORENSICS – VISUALIZATION
• Visualize BIG data to correlate events,
relationships, systems.
• Profiling applications
21. AUDIT TRAILS
In a digital forensic context:
‘Chronological presentation of actions and
events extracted from user or system generated
information’
22. SYSTEM GENERATED EVIDENCE
Users have little understanding and awareness of presence of this kind of
evidence!
Some examples
• NTUSER.DAT
• Webserver logs
• Index.dat files
• Printspooler logs
• E-mail headers
• Registry files
• Temp/tmp folders
• Etc..
23. USER CREATED EVIDENCE
Some examples:
• Pictures
• (Open) Office documents
• Internet history
• Chat services
• E-mails
24. OTHER POTENTIAL EVIDENCE
Call registers
Attendance registers
Surveillance video’s
Etc..
Note: Mind regulations for privacy, proportionality
and subsidiarity
25. AUDIT TRAILS COMBINED
Combining system generated, user generated
along with additional information creates a
complete audit trail
Interrelate and correlate, minding proper
synchronization and unique identifiers
(don’t assume) (user williamsj does not have to
be John Williams)
26. FORENSIC READINESS
• Be prepared for incidents, they WILL happen
• Compliancy
• Prevention
• Early Warnings
• Limit “damage”
• Reduction of investigation cost/time
• Effectiveness in sanction (HR/Legal/IT)
35. HOW CAN WEB DEVELOPERS HELP SUPPORT
FORENSIC READINESS
• Webserver : Logs
• Application server/ Middleware: Logs
• Database server: Logs, system tables, memory
• Do not limit logfiles: verbose, and no
overwrites
36. HOW CAN WEB DEVELOPERS HELP SUPPORT
FORENSIC READINESS
• Applications:
What have YOU instructed the
application to log / record ?
37. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC
READINESS
• The application “Knows and Sees” a lot !
• CAPTURE THAT DATA:
• Facilitate detailed logging for the purpose of audit trails:
Who - e.g. Useraccount
What - (sequence of) Activity
When - Date/time stamps
Where - IP-address, geo info, endpoint
characteristics
How - Application navigation behavior
As much and detailed as possible !
Look across bridges, as far as you can see to both ends.
38. HOW CAN WEB DEVELOPERS HELP SUPPORT FORENSIC
READINESS
• Where ?
– (Additional) Log files
– (system) Event log
– Database !
• Mind:
– Location and size
– Access, Authorization …
– Performance
• Forensic principals to be included in your design !
39. HOW CAN WEB DEVELOPERS HELP SUPPORT
FORENSIC READINESS – CONT
• Add monitoring, triggering mechanisms to
your (forensic) logging to enhance the
traceability with early warning and even
prevention advantages.
• It might also support your regular system
debugging ;-)
40. HOW CAN WEB DEVELOPERS HELP SUPPORT
FORENSIC READINESS
• Non-repudiation:
Perform security tests so that fraudulent people
cannot dispute their acts and the operation of
your application.
(They will tell your application environment sucks!) Proof they’re wrong !
41. HOW CAN WEB DEVELOPERS HELP SUPPORT
FORENSIC READINESS - CONT
• And don’t forget the traditional forensic
sources:
• Not only application logs contain relevant
information
• Consider logs of servers, network peripherals,
workstations, syslogs
42. CONCLUSION
• All activity as shown on screen has potential to be
recovered
• New technologies change the forensic landscape
as well
• Be prepared for incidents and know how to
handle while preserving potential evidence
• Be Forensic Ready! Be pro-active !
43. And then what ?
• Do not forget about “traditional” forensics
• Adjust NOW to the changing landscape !
• OWASP has a Forensic project opened in Aug
• Let’s ALL contribute:
– We will ALL provide our knowledge and questions
– List of tools
– Facts about current forensic techniques (detailed techstuff)
– Your environments and challenges
– Compose a Forensics Ready (Secure) Application framework
– Create new tools ?
44. Thank you
For any intermediate questions and suggestions:
– marc@vest.nl (Marc Hullegie)
– kees@vest.nl (Kees Mastwijk)
www.vest.nl
See you all at the “OWASP Forensic Guide Project”
http://owasp.org/index.php/owasp_forensic_guide_project