SlideShare ist ein Scribd-Unternehmen logo

Cloud forensics putting the bits back together

Shakacon
Shakacon

Shakacon X (2018) Presentation

Technologie
1 von 67
Downloaden Sie, um offline zu lesen
Putting the Bits Back Together Forensic investigations in AWS EC2
$ whoami Brandon Sherman Senior Cloud Security Engineer at Twilio, Inc. Krav Maga instructor Has cloudy outlook Certified Solutions Architect, Professional
$ whoami Brandon Sherman Senior Cloud Security Engineer at Twilio, Inc. Krav Maga instructor Has cloudy outlook Certified Solutions Architect, Professional A picture, just in case you’ve forgotten what I look like already Or are in the back This is a better looking photo than the live version the people at the front get
~/agenda Why? Background on AWS, EC2, and EBS Research, Methodology, and Findings Protecting your forensic data
– Twilio value “Start with why.”
$ cd ~/why? 💩 happens (citation needed)
~/why? Compromises happen @TODO: fill in with the most recent breach
~/why? Prevention is ideal Detection is a must If something bad happens, how can we determine how bad that something was?
~/why? Forensic Investigation Investigate an event in the past by utilizing scientific techniques Post-event is not the time to be developing techniques
~/why? Personally: What is hidden is much more interesting than what is visible Has an attacker… …deleted log files? …caused log files to roll over? …used a dropper which erased itself?
$ cd ~/the_cloud Super-high-level overview of the cloud $ ln -s ~/the_cloud /clouds/aws
~/the_cloud/ This is not meant to be a introductory course in AWS Also not meant to be an advanced course in AWS Amazon Web Services is comprised of many, many, many, many, many, many, many services
ls ~/the_cloud/ Focusing today on EC2: Elastic Cloud Compute EBS: Elastic Block Storage IAM: Identity and Access Management S3: Simple Storage Service
$ cd ~/the_cloud/ec2 Elastic Cloud Compute Virtual machines on-demand Plus now, even a few bare-metal ones Varying capabilities, CPU, RAM, etc.
~/the_cloud/ec2 Click button, get server Script with a loop, hit API, get lots of servers Default is shared tenancy, but you can get various degrees of dedicated hardware
~/the_cloud/ec2 The starting point for an EC2 instance is an AMI Amazon Machine Image This contains the host OS, configuration, etc. Possible to create an AMI from a running instance— including configuration files, etc.
~/the_cloud/ec2 Some instances have Instance Storage Some instances don’t Instance Storage is directly-connected disk Fast Ephemeral
$ cd ../ebs Elastic Block Storage Request a volume, specify its size, and where you want to attach it Kinda-sorta network attached storage that presents locally Various backing stores
~/the_cloud/ebs standard gp2 io1 st1 sc1 Backing material HDD SSD SSD HDD HDD Sizes 1GB–1TB 1GB– 16TB 4GB– 16TB 500GB– 16TB 500GB– 16TB Max Throughput (volume) 90MBps 160MBps 500MBps 500MBps 250MBps Price $0.05/ GB/month $0.10/ GB/month $0.125/ GB/month $0.045/ GB/month $0.025/ GB/month AFR 0.1% – 0.2% 0.1% – 0.2% 0.1% – 0.2% 0.1% – 0.2% 0.1% – 0.2%
~/the_cloud/ebs EBS has an AFR of <0.2% Commodity drive AFR is ~4%
~/the_cloud/ebs EBS is 20x more durable than regular drives! How? Magic!
~/the_cloud/ebs Recap: Disk storage which… …is network attached storage… …of various capabilities… …presenting as either NVMe or SATA… …with dynamic sizes… …but of static allocation… …which fail 1/20th as often as a single drive …and can be snapshotted via API call
$ cd ../iam Identity and Access Management aka permission controls in AWS Relatively fine-grained; who can perform which API calls on what resources We’ll get into this more later— it ties into how to protect the chain of custody
$ cd ../s3 EBS volumes can have a snapshot taken Does not have to be when the disk is detached, but be wary of inconsistencies when snapshotting an active volume Snapshots are stored as blobs in S3
~/the_cloud/s3 Snapshots are immutable AMIs are special EBS snapshots “Blessed” to be usable as a boot volume Instance root volumes can be EBS or Ephemeral storage
Story Time! Alice Bob The Third Party The story, all names, characters, and incidents portrayed in this production are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred.
Alice and Bob communicate with each other via the “WhatsMyGramBook” service “WhatsMyGramBook” uses one server, which was breached Were their communications accessed? What did the attacker do?
~/the_cloud/questions Question One: If a snapshot of an EBS volume is taken, will that snapshot only contain in-use blocks, or are deleted blocks also included? Question Two: Does it matter what the original EBS volume type is? Has Amazon changed their implementation between versions? Question Three: Does the instance type matter? Does NVMe vs. SATA make a difference?
~/research/process 1. Launch a selection of EC2 instances 2. Attach one of each EBS volume type to each class of instance 3. Write files 4. Delete files 5. Snapshot disks 6. Rehydrate snapshot to new disk 7. Look for files
WMGB sysadmin/founder/developer/person logs into the AWS Console and triggers a snapshot of the EBS volumes attached to their EC2 instance Now to see what happened on that volume
./photorec PhotoRec is freely available software to look for deleted files https://www.cgsecurity.org/wiki/PhotoRec Looks at the raw blocks of a disk and compares data to known file signatures
./scripts/forensics.rb With each snapshot, rehydrate to an EBS volume Attach the volume to an instance Run PhotoRec and look for deleted files
$ pry forensics.rb Launching new Investigate instance Waiting for i-04074842f4a3a8c10 to enter running state... Executing setup commands Waiting for command to be in finished, currently is Success Command execution successful! Output: Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 3276800 inodes, 13107200 blocks 655360 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=2162163712 400 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done download: s3://forensics-software/testdisk-7.0/AUTHORS to ../../root/testdisk/AUTHORS download: s3://forensics-software/testdisk-7.0/INFO to ../../root/testdisk/INFO download: s3://forensics-software/testdisk-7.0/documentation.html to ../../root/testdisk/documentation.html download: s3://forensics-software/testdisk-7.0/fidentify.8 to ../../root/testdisk/fidentify.8 download: s3://forensics-software/testdisk-7.0/icons/48x48/apps/qphotorec.png to ../../root/testdisk/icons/48x48/ apps/qphotorec.png download: s3://forensics-software/testdisk-7.0/THANKS to ../../root/testdisk/THANKS download: s3://forensics-software/testdisk-7.0/NEWS to ../../root/testdisk/NEWS download: s3://forensics-software/testdisk-7.0/COPYING to ../../root/testdisk/COPYING download: s3://forensics-software/testdisk-7.0/Android.mk to ../../root/testdisk/Android.mk download: s3://forensics-software/testdisk-7.0/ChangeLog to ../../root/testdisk/ChangeLog download: s3://forensics-software/testdisk-7.0/icons/photorec.ico to ../../root/testdisk/icons/photorec.ico
Results!
Lots of files are returned! WhatsMyGramBook team is very happy they attended this talk If WhatsMyGramBook had their log files on the root EBS volume, they should expect to see many files recovered from the AMI Can be an overwhelming amount of returned files
AMIs are snapshots AMIs therefore contain deleted files Using PhotoRec on an EBS volume that was the startup volume can net large amounts of recovered files
Fair enough— I’ve told the end of the story before showing you the results How do we know it’s possible to recover all these files?
Pass Match the Hash
~/scripts/compare.sh Frequently, more files are returned than originally seeded to disk This is due to PhotoRec guessing where files end and new files begin Especially with text files, which don’t have clearly defined “magic numbers” and EOF markers
~/scripts/compare_bytes.sh Comparing the first n bytes is a reliable way to determine how many of the original files are recovered
$ grep -v -e '^/' analysis Examining 84 files in /recovery/ c5.large/gp2.1/ Recovered: 84 Matches:48/56 Examining 88 files in /recovery/ c5.large/io1.1/ Recovered: 88 Matches:52/56 Examining 37 files in /recovery/ c5.large/sc1.1/ Recovered: 37
~/findings Source instance type has no detectable effect Recovery success varied based on source volume type Best recovery rates: Standard, gp2, io1 Less-good rates: sc1, st1
~/findings Examining 84 files in /mnt/forensic_recovery/c5.large/gp2.1/ Matches: 48/56 (86%) Examining 88 files in /mnt/forensic_recovery/c5.large/io1.1/ Matches: 52/56 (93%) Examining 37 files in /mnt/forensic_recovery/c5.large/sc1.1/ Matches: 25/56 (47%) Examining 11 files in /mnt/forensic_recovery/c5.large/st1.1/ Matches: 11/56 (20%) Examining 86 files in /mnt/forensic_recovery/c5.large/standard.1/ Matches: 50/56 (89%)
~/findings Weird artifacts Recovery of PDFs from sc1/st1 based drives resulted in massive files …but not other drive types
/dev/nvme1n1 493G 196G 272G 42% /mnt/forensic_recovery272G
$ find . -printf '%s %pn'|sort -nr|head -n 5 161053454336 ./m3.medium/st1.1/f209993256.pdf 24292724736 ./m5.large/st1.1/f428097024.pdf 21367603200 ./t2.nano/st1.1/f948187936.pdf 17745333 ./t2.nano/standard.1/f0475136.m4p 17745333 ./t2.nano/st1.1/f0393216.m4p
$ find . -printf '%s %pn'|sort -nr|head -n 5 161 GB ./m3.medium/st1.1/f209993256.pdf 24.30 GB ./m5.large/st1.1/f428097024.pdf 21.36 GB ./t2.nano/st1.1/f948187936.pdf 0.18 GB ./t2.nano/standard.1/f0475136.m4p 0.18 GB ./t2.nano/st1.1/f0393216.m4p
Not sure why— this could be a recovery issue of detecting the EOF marker further away from the start of the PDF But it only appeared when the source was an sc1/st1 volume
Chain of Custody Snapshots can be shared to other accounts If an attacker is in your account, they could delete the snapshots as you take them, causing data to be lost Copy to another, secured, account to keep them safe
$ sort -u ~/talk What does your threat model look like? Do you need high-quality forensics? Yes: Don’t use sc1/st1/ephemeral No: Understand the limitations
$ sort -u ~/talk Consider writing only to non-root EBS volumes Eliminates the large number of recoverable files deleted from the AMI Quite possibly too much noise to see the signal of deleted files
$ sort -u ~/talk Use multiple accounts A breach of a server could mean the breach of all your stuff The loss of an API key could mean the loss of all your stuff An account limits the blast radius Keep your forensics out of that blast radius
Thank you!
Few quick things… We’re hiring! If you are interested, or know someone who’s interested: https://boards.greenhouse.io/twilio We have a bug bounty program! https://bugcrowd.com/twilio SMS ‘shakacon’ to 213.27.SHAKA for my business card! 213.27.74252
head -n 5 /dev/random/ questions SMS ‘shakacon’ to 213.27.SHAKA for my business card! 213.277.4252

Empfohlen

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Macdoored
MacdooredMacdoored
MacdooredShakacon
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL John Anderson
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

Empfohlen

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Macdoored
MacdooredMacdoored
MacdooredShakacon
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL John Anderson
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging TricksSasha Goldshtein
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
MongoDB and AWS Best Practices
MongoDB and AWS Best PracticesMongoDB and AWS Best Practices
MongoDB and AWS Best PracticesMongoDB
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarMaarten Balliauw
 

Weitere ähnliche Inhalte

Was ist angesagt?

Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSSasha Goldshtein
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 

Was ist angesagt? (20)

Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
VS Debugging Tricks
VS Debugging TricksVS Debugging Tricks
VS Debugging Tricks
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOS
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 

Ähnlich wie Cloud forensics putting the bits back together

MongoDB and AWS Best Practices
MongoDB and AWS Best PracticesMongoDB and AWS Best Practices
MongoDB and AWS Best PracticesMongoDB
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarMaarten Balliauw
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETMaarten Balliauw
 
How to run your Hadoop Cluster in 10 minutes
How to run your Hadoop Cluster in 10 minutesHow to run your Hadoop Cluster in 10 minutes
How to run your Hadoop Cluster in 10 minutesVladimir Simek
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management....NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...NETFest
 
Why Wordnik went non-relational
Why Wordnik went non-relationalWhy Wordnik went non-relational
Why Wordnik went non-relationalTony Tam
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 
STP201 Efficiency at Scale - AWS re: Invent 2012
STP201 Efficiency at Scale - AWS re: Invent 2012STP201 Efficiency at Scale - AWS re: Invent 2012
STP201 Efficiency at Scale - AWS re: Invent 2012Amazon Web Services
 
Developing And Running A Website On Amazon S E
Developing And Running A Website On Amazon S EDeveloping And Running A Website On Amazon S E
Developing And Running A Website On Amazon S Ejaymuntz
 
EPrints and the Cloud
EPrints and the CloudEPrints and the Cloud
EPrints and the CloudLeslie Carr
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Hosting Drupal on Amazon EC2
Hosting Drupal on Amazon EC2Hosting Drupal on Amazon EC2
Hosting Drupal on Amazon EC2Kornel Lugosi
 
Symfony finally swiped right on envvars
Symfony finally swiped right on envvarsSymfony finally swiped right on envvars
Symfony finally swiped right on envvarsSam Marley-Jarrett
 
Eclipse Memory Analyzer
Eclipse Memory AnalyzerEclipse Memory Analyzer
Eclipse Memory Analyzernayashkova
 
Day of Cloud: Amazon EC2
Day of Cloud: Amazon EC2Day of Cloud: Amazon EC2
Day of Cloud: Amazon EC2cmcavoy
 
Deep Dive on Elastic File System - February 2017 AWS Online Tech Talks
Deep Dive on Elastic File System - February 2017 AWS Online Tech TalksDeep Dive on Elastic File System - February 2017 AWS Online Tech Talks
Deep Dive on Elastic File System - February 2017 AWS Online Tech TalksAmazon Web Services
 
BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...
BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...
BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...BigDataCloud
 

Ähnlich wie Cloud forensics putting the bits back together (20)

MongoDB and AWS Best Practices
MongoDB and AWS Best PracticesMongoDB and AWS Best Practices
MongoDB and AWS Best Practices
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinar
 
AWS Notes.pdf
AWS Notes.pdfAWS Notes.pdf
AWS Notes.pdf
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NET
 
How to run your Hadoop Cluster in 10 minutes
How to run your Hadoop Cluster in 10 minutesHow to run your Hadoop Cluster in 10 minutes
How to run your Hadoop Cluster in 10 minutes
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management....NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
 
Why Wordnik went non-relational
Why Wordnik went non-relationalWhy Wordnik went non-relational
Why Wordnik went non-relational
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 
Tuning Java Servers
Tuning Java Servers Tuning Java Servers
Tuning Java Servers
 
STP201 Efficiency at Scale - AWS re: Invent 2012
STP201 Efficiency at Scale - AWS re: Invent 2012STP201 Efficiency at Scale - AWS re: Invent 2012
STP201 Efficiency at Scale - AWS re: Invent 2012
 
Developing And Running A Website On Amazon S E
Developing And Running A Website On Amazon S EDeveloping And Running A Website On Amazon S E
Developing And Running A Website On Amazon S E
 
EPrints and the Cloud
EPrints and the CloudEPrints and the Cloud
EPrints and the Cloud
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Hosting Drupal on Amazon EC2
Hosting Drupal on Amazon EC2Hosting Drupal on Amazon EC2
Hosting Drupal on Amazon EC2
 
Symfony finally swiped right on envvars
Symfony finally swiped right on envvarsSymfony finally swiped right on envvars
Symfony finally swiped right on envvars
 
Eclipse Memory Analyzer
Eclipse Memory AnalyzerEclipse Memory Analyzer
Eclipse Memory Analyzer
 
Day of Cloud: Amazon EC2
Day of Cloud: Amazon EC2Day of Cloud: Amazon EC2
Day of Cloud: Amazon EC2
 
Deep Dive on Elastic File System - February 2017 AWS Online Tech Talks
Deep Dive on Elastic File System - February 2017 AWS Online Tech TalksDeep Dive on Elastic File System - February 2017 AWS Online Tech Talks
Deep Dive on Elastic File System - February 2017 AWS Online Tech Talks
 
BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...
BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...
BigDataCloud meetup - July 8th - Cost effective big-data processing using Ama...
 

Mehr von Shakacon

Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEShakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkShakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareShakacon
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamShakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzShakacon
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgMaking a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgShakacon
 
Hunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph MennHunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph MennShakacon
 
Let's Play Doctor....by Patrick Wardle
Let's Play Doctor....by Patrick WardleLet's Play Doctor....by Patrick Wardle
Let's Play Doctor....by Patrick WardleShakacon
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 

Mehr von Shakacon (20)

Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgMaking a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem Dinaburg
 
Hunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph MennHunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph Menn
 
Let's Play Doctor....by Patrick Wardle
Let's Play Doctor....by Patrick WardleLet's Play Doctor....by Patrick Wardle
Let's Play Doctor....by Patrick Wardle
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 

Kürzlich hochgeladen

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Kürzlich hochgeladen (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Cloud forensics putting the bits back together

  • 1. Putting the Bits Back Together Forensic investigations in AWS EC2
  • 2. $ whoami Brandon Sherman Senior Cloud Security Engineer at Twilio, Inc. Krav Maga instructor Has cloudy outlook Certified Solutions Architect, Professional
  • 3. $ whoami Brandon Sherman Senior Cloud Security Engineer at Twilio, Inc. Krav Maga instructor Has cloudy outlook Certified Solutions Architect, Professional A picture, just in case you’ve forgotten what I look like already Or are in the back This is a better looking photo than the live version the people at the front get
  • 4. ~/agenda Why? Background on AWS, EC2, and EBS Research, Methodology, and Findings Protecting your forensic data
  • 6. $ cd ~/why? 💩 happens (citation needed)
  • 7. ~/why? Compromises happen @TODO: fill in with the most recent breach
  • 8. ~/why? Prevention is ideal Detection is a must If something bad happens, how can we determine how bad that something was?
  • 9. ~/why? Forensic Investigation Investigate an event in the past by utilizing scientific techniques Post-event is not the time to be developing techniques
  • 10. ~/why? Personally: What is hidden is much more interesting than what is visible Has an attacker… …deleted log files? …caused log files to roll over? …used a dropper which erased itself?
  • 11. $ cd ~/the_cloud Super-high-level overview of the cloud $ ln -s ~/the_cloud /clouds/aws
  • 12. ~/the_cloud/ This is not meant to be a introductory course in AWS Also not meant to be an advanced course in AWS Amazon Web Services is comprised of many, many, many, many, many, many, many services
  • 13.
  • 14. ls ~/the_cloud/ Focusing today on EC2: Elastic Cloud Compute EBS: Elastic Block Storage IAM: Identity and Access Management S3: Simple Storage Service
  • 15.
  • 16. $ cd ~/the_cloud/ec2 Elastic Cloud Compute Virtual machines on-demand Plus now, even a few bare-metal ones Varying capabilities, CPU, RAM, etc.
  • 17. ~/the_cloud/ec2 Click button, get server Script with a loop, hit API, get lots of servers Default is shared tenancy, but you can get various degrees of dedicated hardware
  • 18. ~/the_cloud/ec2 The starting point for an EC2 instance is an AMI Amazon Machine Image This contains the host OS, configuration, etc. Possible to create an AMI from a running instance— including configuration files, etc.
  • 19. ~/the_cloud/ec2 Some instances have Instance Storage Some instances don’t Instance Storage is directly-connected disk Fast Ephemeral
  • 20. $ cd ../ebs Elastic Block Storage Request a volume, specify its size, and where you want to attach it Kinda-sorta network attached storage that presents locally Various backing stores
  • 21. ~/the_cloud/ebs standard gp2 io1 st1 sc1 Backing material HDD SSD SSD HDD HDD Sizes 1GB–1TB 1GB– 16TB 4GB– 16TB 500GB– 16TB 500GB– 16TB Max Throughput (volume) 90MBps 160MBps 500MBps 500MBps 250MBps Price $0.05/ GB/month $0.10/ GB/month $0.125/ GB/month $0.045/ GB/month $0.025/ GB/month AFR 0.1% – 0.2% 0.1% – 0.2% 0.1% – 0.2% 0.1% – 0.2% 0.1% – 0.2%
  • 22. ~/the_cloud/ebs EBS has an AFR of <0.2% Commodity drive AFR is ~4%
  • 23. ~/the_cloud/ebs EBS is 20x more durable than regular drives! How? Magic!
  • 24. ~/the_cloud/ebs Recap: Disk storage which… …is network attached storage… …of various capabilities… …presenting as either NVMe or SATA… …with dynamic sizes… …but of static allocation… …which fail 1/20th as often as a single drive …and can be snapshotted via API call
  • 25. $ cd ../iam Identity and Access Management aka permission controls in AWS Relatively fine-grained; who can perform which API calls on what resources We’ll get into this more later— it ties into how to protect the chain of custody
  • 26. $ cd ../s3 EBS volumes can have a snapshot taken Does not have to be when the disk is detached, but be wary of inconsistencies when snapshotting an active volume Snapshots are stored as blobs in S3
  • 27. ~/the_cloud/s3 Snapshots are immutable AMIs are special EBS snapshots “Blessed” to be usable as a boot volume Instance root volumes can be EBS or Ephemeral storage
  • 28. Story Time! Alice Bob The Third Party The story, all names, characters, and incidents portrayed in this production are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred.
  • 29. Alice and Bob communicate with each other via the “WhatsMyGramBook” service “WhatsMyGramBook” uses one server, which was breached Were their communications accessed? What did the attacker do?
  • 30. ~/the_cloud/questions Question One: If a snapshot of an EBS volume is taken, will that snapshot only contain in-use blocks, or are deleted blocks also included? Question Two: Does it matter what the original EBS volume type is? Has Amazon changed their implementation between versions? Question Three: Does the instance type matter? Does NVMe vs. SATA make a difference?
  • 31. ~/research/process 1. Launch a selection of EC2 instances 2. Attach one of each EBS volume type to each class of instance 3. Write files 4. Delete files 5. Snapshot disks 6. Rehydrate snapshot to new disk 7. Look for files
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37. WMGB sysadmin/founder/developer/person logs into the AWS Console and triggers a snapshot of the EBS volumes attached to their EC2 instance Now to see what happened on that volume
  • 38. ./photorec PhotoRec is freely available software to look for deleted files https://www.cgsecurity.org/wiki/PhotoRec Looks at the raw blocks of a disk and compares data to known file signatures
  • 39. ./scripts/forensics.rb With each snapshot, rehydrate to an EBS volume Attach the volume to an instance Run PhotoRec and look for deleted files
  • 40. $ pry forensics.rb Launching new Investigate instance Waiting for i-04074842f4a3a8c10 to enter running state... Executing setup commands Waiting for command to be in finished, currently is Success Command execution successful! Output: Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 3276800 inodes, 13107200 blocks 655360 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=2162163712 400 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done download: s3://forensics-software/testdisk-7.0/AUTHORS to ../../root/testdisk/AUTHORS download: s3://forensics-software/testdisk-7.0/INFO to ../../root/testdisk/INFO download: s3://forensics-software/testdisk-7.0/documentation.html to ../../root/testdisk/documentation.html download: s3://forensics-software/testdisk-7.0/fidentify.8 to ../../root/testdisk/fidentify.8 download: s3://forensics-software/testdisk-7.0/icons/48x48/apps/qphotorec.png to ../../root/testdisk/icons/48x48/ apps/qphotorec.png download: s3://forensics-software/testdisk-7.0/THANKS to ../../root/testdisk/THANKS download: s3://forensics-software/testdisk-7.0/NEWS to ../../root/testdisk/NEWS download: s3://forensics-software/testdisk-7.0/COPYING to ../../root/testdisk/COPYING download: s3://forensics-software/testdisk-7.0/Android.mk to ../../root/testdisk/Android.mk download: s3://forensics-software/testdisk-7.0/ChangeLog to ../../root/testdisk/ChangeLog download: s3://forensics-software/testdisk-7.0/icons/photorec.ico to ../../root/testdisk/icons/photorec.ico
  • 42. Lots of files are returned! WhatsMyGramBook team is very happy they attended this talk If WhatsMyGramBook had their log files on the root EBS volume, they should expect to see many files recovered from the AMI Can be an overwhelming amount of returned files
  • 43. AMIs are snapshots AMIs therefore contain deleted files Using PhotoRec on an EBS volume that was the startup volume can net large amounts of recovered files
  • 44.
  • 45. Fair enough— I’ve told the end of the story before showing you the results How do we know it’s possible to recover all these files?
  • 47. ~/scripts/compare.sh Frequently, more files are returned than originally seeded to disk This is due to PhotoRec guessing where files end and new files begin Especially with text files, which don’t have clearly defined “magic numbers” and EOF markers
  • 48.
  • 49. ~/scripts/compare_bytes.sh Comparing the first n bytes is a reliable way to determine how many of the original files are recovered
  • 50. $ grep -v -e '^/' analysis Examining 84 files in /recovery/ c5.large/gp2.1/ Recovered: 84 Matches:48/56 Examining 88 files in /recovery/ c5.large/io1.1/ Recovered: 88 Matches:52/56 Examining 37 files in /recovery/ c5.large/sc1.1/ Recovered: 37
  • 51. ~/findings Source instance type has no detectable effect Recovery success varied based on source volume type Best recovery rates: Standard, gp2, io1 Less-good rates: sc1, st1
  • 52. ~/findings Examining 84 files in /mnt/forensic_recovery/c5.large/gp2.1/ Matches: 48/56 (86%) Examining 88 files in /mnt/forensic_recovery/c5.large/io1.1/ Matches: 52/56 (93%) Examining 37 files in /mnt/forensic_recovery/c5.large/sc1.1/ Matches: 25/56 (47%) Examining 11 files in /mnt/forensic_recovery/c5.large/st1.1/ Matches: 11/56 (20%) Examining 86 files in /mnt/forensic_recovery/c5.large/standard.1/ Matches: 50/56 (89%)
  • 53. ~/findings Weird artifacts Recovery of PDFs from sc1/st1 based drives resulted in massive files …but not other drive types
  • 54. /dev/nvme1n1 493G 196G 272G 42% /mnt/forensic_recovery272G
  • 55. $ find . -printf '%s %pn'|sort -nr|head -n 5 161053454336 ./m3.medium/st1.1/f209993256.pdf 24292724736 ./m5.large/st1.1/f428097024.pdf 21367603200 ./t2.nano/st1.1/f948187936.pdf 17745333 ./t2.nano/standard.1/f0475136.m4p 17745333 ./t2.nano/st1.1/f0393216.m4p
  • 56. $ find . -printf '%s %pn'|sort -nr|head -n 5 161 GB ./m3.medium/st1.1/f209993256.pdf 24.30 GB ./m5.large/st1.1/f428097024.pdf 21.36 GB ./t2.nano/st1.1/f948187936.pdf 0.18 GB ./t2.nano/standard.1/f0475136.m4p 0.18 GB ./t2.nano/st1.1/f0393216.m4p
  • 57. Not sure why— this could be a recovery issue of detecting the EOF marker further away from the start of the PDF But it only appeared when the source was an sc1/st1 volume
  • 58.
  • 59. Chain of Custody Snapshots can be shared to other accounts If an attacker is in your account, they could delete the snapshots as you take them, causing data to be lost Copy to another, secured, account to keep them safe
  • 60.
  • 61.
  • 62. $ sort -u ~/talk What does your threat model look like? Do you need high-quality forensics? Yes: Don’t use sc1/st1/ephemeral No: Understand the limitations
  • 63. $ sort -u ~/talk Consider writing only to non-root EBS volumes Eliminates the large number of recoverable files deleted from the AMI Quite possibly too much noise to see the signal of deleted files
  • 64. $ sort -u ~/talk Use multiple accounts A breach of a server could mean the breach of all your stuff The loss of an API key could mean the loss of all your stuff An account limits the blast radius Keep your forensics out of that blast radius
  • 66. Few quick things… We’re hiring! If you are interested, or know someone who’s interested: https://boards.greenhouse.io/twilio We have a bug bounty program! https://bugcrowd.com/twilio SMS ‘shakacon’ to 213.27.SHAKA for my business card! 213.27.74252
  • 67. head -n 5 /dev/random/ questions SMS ‘shakacon’ to 213.27.SHAKA for my business card! 213.277.4252