SlideShare ist ein Scribd-Unternehmen logo
1 von 19
Mona Arkhipova
QIWI BigSister
Enterprise Forensics 101
#whoami
• Head of united monitoring/lead security expert at QIWI
• Past: Security analyst at GE Capital, independent security
consultant at fintech, systems/network administrator
Enterprise forensics: use cases
• Internal incidents
• User behavior related (suspicious attachments etc)
• Internal fraud
• External incidents
• Online banking
• Targeted malware
And special thanks to Red Team for mastering our
forensics skills ;)
Let’s get this party started
• Write down all the non-technical incident details
• Possibility of live response?
• Grab all the checksums/hardware details/images/etc
• Inspect all the related systems (if applicable)
Live Response: common
• Date and time, ntp settings
• Network: connections, active network software, routing
• Running processes and services
• Scheduled jobs
• Users and groups
• Logs, active memory and swap full dump
• Disk image
Live Response: Linux-specific
• Kernel modules
• File systems
• All executable files
• dmesg
Live Response: Windows-specific
• DLLs, setupapi.log
• Mapped drives, opened shares
• Prefetch
• Policies
• RAW registry files (hives)
• Autorun, NTUSER.DAT from all accounts
Live Response: toolkit
Linux:
• Built-in: nc, netstat, lsof, ps, strace, strings, dmesg, dd
and so on
Windows:
• MIR-ROR script/Sysinternals suite
• Mandiant’s memoryze
Specific tools: WinFE, Sleuthkit, AccessData FTK imager,
EnCase Forensic Imager/LinEn, Magnet RAM Capture,
ewfacquire/libewf
Imaging
• Prepare a proper drive for imaging. Wipe&format if
needed
• You may use some special tools during Live Response or
just a Linux/WinFE live CD
• Never. Mount. Original. Evidence. Partitions.
Carving: deep dive into non-volatile evidences
• Before you begin:
• Prepare image/device write protection
• Write up all inputs: devices S/N, acquired images or
files checksums, device or image “healthcheck”
status
Carving: basics
• Mount all evidences copy in RO mode (OSFMount,
FTK Imager, mount –o ro)
• Capture all the hierarchy
• Create timelines (fls, regtime.pl, PowerForensics)
• Collect all executables and run them against known
file filter or any similar tool
Carving: so…what?
Sorry guys. No universal recipe here.
• Take one more look at your initial incident details
• Review log files (or utilize Splunk/ELK for drill down)
• Review all accounts related information
• Review timelines, files created in incident timeframe
• Put all KFF non-filtered files to malwr/virustotal or
standalone cuckoo server
• Review all the found scripts
Carving: keeping all the memories
Carving: internal investigations and human factor
The most common interesting files if there’s a
”suspicious user” in place
- IM logs
- Browsers history and cache
- Recently opened files and downloads
- Devices history
- Remote control tools artefacts
Carving: Enterprise insides
• Export all the related information from your security
tools (IDS/IPS, firewall logs, proxies, SIEM records, DLP,
AV alerts)
• Sometimes the initial point of compromise is not what
you’ve suspected
• If you do not see something strange in your SIEM – it is
not a reason to relax.
QIWI Forensic Lab
QIWI Forensic Lab: Toolkit
• AccessData: Forensic Toolkit v6, PRTK, Imager, Registry
viewer, KFF.
• R-studio
• IDA Pro
• Redline
• And a lot of other small Santa’s helpers (log2timeline,
srch_strings, Volatility framework, OSFMount, EDD,
Nirsoft tools etc)
Reporting. I know you hate it.
Common information:
• Case summary (brief overview what’s happened and when)
• Serial numbers, make, model etc.
• All the preparation steps
Investigation process:
• Tools used, start and end dates
• Detailed information about process – artifacts, pictures,
documents…
Conclusion
Questions?
Mona Arkhipova
QIWI infrastructure security
Head of united monitoring team (SOC+OPS)
mona@qiwi.com
mona.sax m0na_sax

Weitere ähnliche Inhalte

Was ist angesagt?

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Security Ops for large and small companies
Security Ops for large and small companiesSecurity Ops for large and small companies
Security Ops for large and small companiesMona Arkhipova
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010Affan Basalamah
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 

Was ist angesagt? (20)

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
Security Ops for large and small companies
Security Ops for large and small companiesSecurity Ops for large and small companies
Security Ops for large and small companies
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 

Ähnlich wie Enterprise Forensics 101

All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysisCharles Lim
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsDamir Delija
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 

Ähnlich wie Enterprise Forensics 101 (20)

All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
3871778
38717783871778
3871778
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysis
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Kürzlich hochgeladen

Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 

Kürzlich hochgeladen (20)

Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 

Enterprise Forensics 101

  • 2. #whoami • Head of united monitoring/lead security expert at QIWI • Past: Security analyst at GE Capital, independent security consultant at fintech, systems/network administrator
  • 3. Enterprise forensics: use cases • Internal incidents • User behavior related (suspicious attachments etc) • Internal fraud • External incidents • Online banking • Targeted malware And special thanks to Red Team for mastering our forensics skills ;)
  • 4. Let’s get this party started • Write down all the non-technical incident details • Possibility of live response? • Grab all the checksums/hardware details/images/etc • Inspect all the related systems (if applicable)
  • 5. Live Response: common • Date and time, ntp settings • Network: connections, active network software, routing • Running processes and services • Scheduled jobs • Users and groups • Logs, active memory and swap full dump • Disk image
  • 6. Live Response: Linux-specific • Kernel modules • File systems • All executable files • dmesg
  • 7. Live Response: Windows-specific • DLLs, setupapi.log • Mapped drives, opened shares • Prefetch • Policies • RAW registry files (hives) • Autorun, NTUSER.DAT from all accounts
  • 8. Live Response: toolkit Linux: • Built-in: nc, netstat, lsof, ps, strace, strings, dmesg, dd and so on Windows: • MIR-ROR script/Sysinternals suite • Mandiant’s memoryze Specific tools: WinFE, Sleuthkit, AccessData FTK imager, EnCase Forensic Imager/LinEn, Magnet RAM Capture, ewfacquire/libewf
  • 9. Imaging • Prepare a proper drive for imaging. Wipe&format if needed • You may use some special tools during Live Response or just a Linux/WinFE live CD • Never. Mount. Original. Evidence. Partitions.
  • 10. Carving: deep dive into non-volatile evidences • Before you begin: • Prepare image/device write protection • Write up all inputs: devices S/N, acquired images or files checksums, device or image “healthcheck” status
  • 11. Carving: basics • Mount all evidences copy in RO mode (OSFMount, FTK Imager, mount –o ro) • Capture all the hierarchy • Create timelines (fls, regtime.pl, PowerForensics) • Collect all executables and run them against known file filter or any similar tool
  • 12. Carving: so…what? Sorry guys. No universal recipe here. • Take one more look at your initial incident details • Review log files (or utilize Splunk/ELK for drill down) • Review all accounts related information • Review timelines, files created in incident timeframe • Put all KFF non-filtered files to malwr/virustotal or standalone cuckoo server • Review all the found scripts
  • 13. Carving: keeping all the memories
  • 14. Carving: internal investigations and human factor The most common interesting files if there’s a ”suspicious user” in place - IM logs - Browsers history and cache - Recently opened files and downloads - Devices history - Remote control tools artefacts
  • 15. Carving: Enterprise insides • Export all the related information from your security tools (IDS/IPS, firewall logs, proxies, SIEM records, DLP, AV alerts) • Sometimes the initial point of compromise is not what you’ve suspected • If you do not see something strange in your SIEM – it is not a reason to relax.
  • 17. QIWI Forensic Lab: Toolkit • AccessData: Forensic Toolkit v6, PRTK, Imager, Registry viewer, KFF. • R-studio • IDA Pro • Redline • And a lot of other small Santa’s helpers (log2timeline, srch_strings, Volatility framework, OSFMount, EDD, Nirsoft tools etc)
  • 18. Reporting. I know you hate it. Common information: • Case summary (brief overview what’s happened and when) • Serial numbers, make, model etc. • All the preparation steps Investigation process: • Tools used, start and end dates • Detailed information about process – artifacts, pictures, documents… Conclusion
  • 19. Questions? Mona Arkhipova QIWI infrastructure security Head of united monitoring team (SOC+OPS) mona@qiwi.com mona.sax m0na_sax