Incident Response Evidence Collection & Triage

all right mom pickle not enjoying without difficulty we have John Mayer here two years in our country analyst Kubrick he told clients both their peter spierig office she has worked on a wide range of engine spirit including in side effects ABT colorized and holler algorithm in popular today it's his response and how it speeds or fail an impression and as a lot of them may not know it's really important they collect the right of it at the right time for today due to some issues we have the content think we're going to be denied a demo but who these movements to Bertolini demonstrate the sickness so here we get the time yes i wanted to do

a live demo but look at the perfection doing that oh my god amazing extra ah I'm sure mother so I can configure it to response analyst is security how do i role is to accident go back and respond significant for fun let's find time our outbreak or some kind of generating or something like that where they needed to respond services or private services then they come through my team in there we people provide that so we'll help them energy is negative Brenda will do look at the amount amount for that and the other side of the house that we do is they actually train our clients and how do people can respond so we want to

get on with their in some spots player love them develop rut looks and then for the longer clients eyes hold on people top scenarios where we will actually explain the client to run three different scenarios within a very responsible you know there's a couple scenarios are relevant and posted bound responses to delay okay and you can ask you guys the same work region what is your instance marking points two minutes and then I went to those challenges part is this is material for HP enterprise that reviewing caught up here to go around a while and I do have a home laughs and some of the things I have in my homeland security onion I have a fog reading servers on

image clients also how the people box it up so I could get out a little bit all that if I'm not doing computer geek stuff I think their room is back run so I'm outside Bernadette walked on and your follicle apply mini burger teacher so evidence question look at the neck up come look about why you want eclectic I want to collect evidence which one collective expertise construction module onto my left hand biggest reason is one connects to do now root cause what are a bit positive article evidence University okay we got some kind of security and then tapping on your network you know some kind of security control today at some point it's plot in order to understand where

that process failure to be some kind of rethought analysis in order to do that the extra copies lecture later on American regulatory regions water type of evidence rediscovery lawsuits to guarantee our technology like sometimes people from princess does not very recent storm evidence and again you want to try and improve your product so in order to really understand what happened in the crooked processes you have to understand with a be profitable so when you want to collect in it you want to cut the decisions possible so you're going to have to define when you're going to collect a better condition you can't collect heaven every time bars left pops up or these are disinfected with a piece of modify or anything like

that but if you actually defined some scenarios we're going to left evidence our entrees we be pumpkins final ravages of you how can you start looking at collective everything looks situated as you actually want to pick up this response time you click better if you want to cook it as soon as possible after the event we've had clients come to us in your past and this is Nick want relief and they want to know what happened on its laptop of a rien a store red bow electron or cleaned out first and forever over the last be very does say what you can become about it this tastes inaudible lot is you destroy everything I could look at material but

actually so the fact that we have it in person is possible I'm belated beginning of the engineering particular and you wanted 20 minutes prior to running your mouth like remediating situation or you guys get on there and so they get on boss I come from a I see I'm in Accra and I know when I was in that role the first thing I want to do get on the boss realized these were times whatever problem or Adam and pitches on you on Atlas c'mon away when you're handling interesting together this setting policy number created you team welcomes their their IP apartment building experience response you try and make it very clear answers exciting public actions like

that evidence first and preserve it before that with started orientation there's also going to be fourth out there I primarily that the ginger and takes broken imager is another one eating works if you're on Linux box to all those rules Evert you want to have to enter into the new clutch SDK imager and in page when you click this image they'll actually go to ask for that evidence whenever it busted so you want her to ask available if you're not using medical reason DD then you can use other tools like 85 summer sometime get to get a Selectric see other lucky then we even clear that the others have to change since you've taken and then you want to

create American coffee to actually work on that edge so you're doing your analysis your forensics going to actually be working on working talking four copies of that original either you want to conserve that original weapon in case something goes wrong book for us if you have some can screw up on your first station or something like that and we're about to get deleted or some otherwise rusted if you still have the original copy you can still get another copy fill command to get the situation you swap a little time on the type of evidence can we inquire you can quite a memory which is the activated system on on the device even or other 50 nations 250 perfect

copy of this goods device or whatever whatever beautiful ice nuclear attraction and I can't get Baba so proxy law firewall laws is more expensive things and then other effects evidence they put peak jockeys you have to go to be test capture network data travel tourism your network you can get this key tasks editors get files or something like that if you want to grab if you have some kind of cloud backup solution in your kitchen there's all kinds of different when you're current remember you want to ask a few questions on the first one can be how they can have because you got to put that every summer I feel if you want to have an external hard drive it's got

that number two so you have an external guy that you convert into the laptop or user device and you can save your number to that if you don't have that storage and you have to register the biskits stuff than anything you can user get AF from the network ocular go if you think it is religious nuts to market bug and I previously gotten hit your truck your country remember that way if you've got a server in data center and you have very screwed change controls an update Center about what you can and can't go into those servers that you file maybe not okay right now and you're going to have to figure out some other way to get

that memory off that servers to a lot of these like I said Gillian says it's nice to have an extra music store times you can buy covered exists but the one caveat to that is it devices with disk and you might feel the right unallocated space any other may have been a mess

okay this is really doing a live demo with entertain proportions that you do that at all guys but it's a if they're program that you can download necklace data and the feeling interface because a couple versions is the like version which is you don't have to actually install anything you can run it up a business drive and then there's an actual install version be installed on Tyson and run the the installed versions motoric recent summer main things and the light versions which are new preferences in cases where we have to keep her on construction top so it's capturing the image image is as simple as open up McEwing second on fire and there's a capture memory acquiring

this image not the sweet spec times questions are going to be needed at the current situation public spaces on the bit so you have a 500 gig hard drive you have a terabyte hard drive how much space destinies on these an honor tapes out they review the cool air file because then you have to find a medium to put that data whenever you're actually tapping the other question you want to know is is encrypted almost everybody go out there can support hit lock are in the major compression programs in the together to plug-in enterprise market robotics you can get better cheap so you can use that but if you don't have an access to the

keys or maybe it's some subject this year you don't have access to in here to see if any you don't want to get a physical drug is I'm going to get logical drive so that your marketing purposes and then be my physical or logical image again another reason for that my feet raid every Brenda's go out there with a day support raid and you can take internal images of great device and then stitch it back together and be able to present to the data and practice that works about ninety percent of time so what we do in my organization is do is run grab a logical image of great servers for honor to ditch assets is

amazing if we ask one issue with the brain epi day with effective forensic tools and still have an image of the server and this is where I did a lot of demo damage your own band together have that but again once you have it GUI up you can search by out and create this image and there's bump it up all your attention before I not quite what the first things you want to do is find out if the lobster dinner bar actually relevant and have the data that you want and I in situations like this make sure you get your follow along while robots will typically record the IP address I don't borrow a lot of a lot of the

domain names so if you're actually looking for a mega names and you look in your file below that's main name you might not find information convert that's a name into a nice to get dressed because it's a firewall attack same for proxy locks once in love technically how the survey today but maybe not an FPS and reverse the script maybe need to know how big the log files are because you have to get them some of using uncommon consulted talking back off whenever a time to gauge us and they're delivering props to us if we're not already exist in work at over two thousand eight month sometimes story or some puppy you get to us and then you I

asked if they can be pushed I bring this up because circular thoughts are a binary format and you can insert an artist check one well on different questions there's lovely to do that but if your opponent binary file off giving it media third party if I don't have the check play infrastructure in places to put that file and I won't be able to do that and prove that the text model Tom we have a lot of clients will bring on a deliverer file again in text format because it's easier for us to parse and it's less expensive event pay for concert yet make sure you have a limited funds and another nice demo here it's

going technology was founded yeah maybe the next one okay Evan extry Ives what I'm talking about here is figuring out what evidence you want to look what first again I come from a wealthy backgrounds of ever getting nation in business usually have a fine throw in a bunch of different editing sets we're going to get images from career for devices and memory loss files all the sort of evidence is coming in you need to sit down and figure out what you need to look at first and prioritize where you're going to find get the most bang for your buck time step so you want to try and focus on hi gunner gluttons for a particular patient that you're

working on so here's a couple of dances say they will work on a phishing email page where Christians know is used to install malware so now you know there's gonna be much different luck available we've got to think about what the most important or where the most high priority is vs real action no problem so to do a phishing email then you're probably going to skin cloth get peel off maybe there's gonna be memory memory is there's going to be action to them some remnants on the fifth a natural phishing email so there's a few kinds of places where you want to look for refine that patient's you never see if you can find out where install then the

concentrations you're going to look at are under this and you're going to want to look at again file see if that file to install maybe this run that the screen with our team converts to say possibly there's possible to part of all office hours talking up to a community closest location of the internet you might have lots of data in memory when offering processes and network connections and those sorts of things is irrelevant here takes another example that you have fit to the company documents on page then nobody wants to wake up that person amorous teachers into done drop-off casement but if you have that kind of situation you can try to have to figure out how you're going

to find that it's kind of a broad think so catches the documents things you want to think of is where are those documents of glass that's been give you the scope of using that might have has something happen on the devices and then you're going to want to shoot you know where would you find that information serving SharePoint box PLP losses get big loss prevention installing new network 80-odd applause if you have certain ought to be enabled you can tell them to watch files and do files or anything like that and those look like you're else you get some numeric data bunch of slides basically some page hey spin the questions you want to ask if

you could be scenarios are maybe you had a Kenosha's insider or maybe it was a hacker put in your and demo you gotta consider both those scenarios and you've got to think about the difference might be to support or exclude those periods thrown over 40 meters like images or endpoint images rocks logs by the log if they're actually uploading this stuff with you've got your corporate network to paste in you know that you might actually have a recognized we're taking that self out good but then the other thing is looking for is two signs of a dislocation so the hacker came in they're definitely their mode of operation into finally sent two documents their role authenticity they

can put some into a archive file or zip file or what file then they move them up another so you may look for evidence of that activity having the privilege through traffic traduction hundreds hundreds or 15 years is volatility involved instructors about genes and databases I'll use volatility for you to do a lot of the numbering office itself look at running processes network connections those sort of things against this is tree there's a kind of things that were looking at whenever I have a memory initial first thing next day a couple things I guess going to look at is what processes are running the memory and what network connections that's wise talking to this let's

continue quaternary things we usually that'll lead you to other areas in the memory that you want to look at another connection is oval it difficulties next game on the descendant and continuing on Windows XP hopefully nobody's to running the desert scanner by Ernest but based on the waterfront virus currently they're still our organization to have it out there so it will be on color other eligible for affectionate fond memory of user accounts encryption key if you have ransomware solvability memory URLs registries and that explored history all those sorts of things can be found in learn during may be well computers you can also pull up in at people okay they have to disk image finally

triage that you kind of have a focus on where the artifacts repeat is irrelevant for the personal feelings see up there understanding which will again it's almost to use at DK in cases are big one I played fifth birthday smallest music tips on the NFP will show you the positive on system so if you want to know if some file has been on there these Rancic you visited or our install or something like that in it be the really good resource to look for those kinds of things the registry center that basic spent a report on exchanges on system of iteration stuff so again if you're looking for something that installed or JSON system errors being on

those lines and I get under your brows of injury that kind of self-explanatory you want to find out if user actually click on that fishing link and went out to a URL downloaded that malware that user is remarkable that's off the record Smith is events that popular always have is I want they always fit it's underrated what the event must have on system I always try market event log in every system I look at you never know what you're going to find even with default settings on to those in the closet for you you still find good information and your vet blogs about what happened on the system at important times or whose money is coming off the

system to log on log off if somebody's trying to use lateral movement and running web services that's always gaming you can find internet box so there's kind of dangers to finding big ones then of the relevant laws like antivirus logs on there most of our logs under the shorter check those out to you sometimes those will be to your investigation in surprise what the end of our supports oh we've seen this violence and cut down and get install below you can stock so please they clean it but they did actually stopping section who she ever

ah true Russian balls and I'm from Essex from far away as long as our Sun with which he next so you have a kind of event to happen under heckler whether it's my DSLR or some other event like that got a date sometime hopefully on one second so if you sort of like you know and look at your watch from there off I'm used to thinking through things and because laws you can't just look at that stuff line by line I'd actually have clients on Apollo saying yeah we're looking well upon my wand and that's the wrong way to different off you actually have to find out what you want to look for in searching that you start pushing out and

you look for activity around that and with that known event so again and I will to lower together and prototype together somewhat weren't after and kind of get an idea of what and Derek at the front were you looking for unknown back and we do get that quite a bit more than you do actually but it does happen that you want to start built or not known good this is where correct one is usual from which you can actually look for known good IP addresses no biggie or Alice Microsoft offi home a source of energy directly at high information see that it's no good and then we suppress that reference being then you left with the other

something loans ok foot more story he hasn't been changed because I want to pick up significant view but this is current off process that we went through a different pace clearly in feedback and response there's always something coming down belonging to the team's work but this is one of the genie point so fires fish we're going to say that your user account they will compromise maybe users and operators so they don't even fish the user now to compromise their users announced letting us p.m. and they never say so they found sufficient out from some of users there's fifty artisans of all they come Kristen email and it's not that may be plenty of those users we

want to know the other you know although the third get has got the same fish and different basically group uses different places you know what happened so if you wanted to know what else happens without so looking at this from the solution perspective the EPA solution would ban they actually had in my monetary Intel ago they've actually and their emails for URLs and attachments BRL run mr. standoff you know five luscious one to put ever view of course I was in college which is quite a shock but it was available to us if it's enough people to contribute so next they say fingers are filed and I suspect we're throwing our front it to education and reduce the

keyword searches maybe triathlon something like that a little background on their business processes part of a lot of their business processes actually relies on leaders send the documents and PDF of other users with URL links inside to support the difference product so that is the way they were in the business of course that is a very high account a very high false positive work because you have all kinds of document emissive on our entry reviews in internal and external links run their business but if you have a and do a keyword searches for acoustic EP if your house was going to take too long in order to profit so you may want to create files due to on pieces of Maya

optics now it's going very well on on phishing emails because generally it's just the efficient unit a link to the URL it's required if it's something that went to follow up in a couple of eighty hit runners April 1115 are nothing earth-shattering there's no malware invented in it it's not running sprints or anything like that happening for houses it's just a PDF file I can look outside and the computer is clicking online ah what I didn't notice was that it streams so with the strengthless being actually this is the malicious URL which is good then the downside was that I couldn't feasibly running nine thousand across PDF files through the bottom and visually looking for strangers all

teachers again not something we want to do so inside for the strengths command on all these PDF files or all the strings out of all of the PDF files and their needs are other commands in order to collect it out so instructor the PDF files through in strings - strings my staff will actually prepend the filename of whatever string is five and files so you'll have a filename menu rather screen piercing screams come in and run it pulls all the ASCII characters out for your foots in Manila so there's it's baggage in there there's random characters together and then there's a few bits of useful information URLs made sort of things so once would run that

the screens minus F and then we put it into another file then what we can do is we can prep on that biology to look at the malicious URLs and those URLs repetitive HTTP so if they're going to do a better search on that and that there is a list of every HTTP URL bar on all those PDFs which it's a lot of data together through but it creates a solvable problem so let's do that is you cook if remember good dimensions so we know the mass microsoft.com probably not a malicious URL so I may not agree with that on some people it's generally good so to begin breath for Microsoft Tom and you would do that

results so when you don't feel like yourself up on all of what I do I use the minefield - I often I actually do the threat first for the particular you're looking for and take Microsoft and then Ottoman few those results there's nothing in particular that I'm looking for and I want to make sure that the a malware actor is not trying to trick the users by having something to missus Microsoft common is nothing against onyx or Microsoft comments not pretending to be news to you of your our enemies so it would either cross you really taking the perfect review best product month and then any want the next minute you're welcome every calm the client inane what bomb so

all this interview you could do that then at the end of that process you actually have live down I'm going your Alice it's no fun twist pretty good very intelligent speed or any other tools processes box turtle Google whatever other process you not release to find out that it will just you all that that's all I have for now I was going to do another demonstration but actually how efficient stuff am i do right now live demonstration denied apologize for that I apologize for the technical problem but is any questions I don't know long a question yeah we are the five malware to analyze the rajaiah if there's a whitewash out of it and the

other ah there are sites that actually have now respond back I don't remember the exact searching others you there but there are sites out there that haven't done it I just I just going out to malware's do something on public about a month ago if there are safe out there hammock I don't have to get to pump it but it's good typically come do some speed but as far as unit about to be do validation comes in our houses its what's the decision process that you see your client units or they can incision whether to go and trying people are my will be fabulous persons of cause or what we're a similar trick they think about me they say

should we pursue this is really the one off cost of the big one on academic council is hulking background so which is like I'm a materials cost and everything gauge our team sometimes it's a regulatory requirement is any kind of recording or anything like that that's going to play into how much investigations are going to do where they're required by some regulatory requirement can actually investigate whatever happens then that'll be again off to the big line and then whether there's any regulatory important for statistics

[Laughter] yes hello Fester there are tools out there they can do local analysis activated guidance all the big names have something for mobile general you're going to grab that phone itself a lot of the newer phone they're coming out with the iPhones are and all about their error encrypting their data so rather than actual images talk a lot of what's happening the fronton community is the rely on like the iCloud backups and it's Explorer per foot on some of the top methods to get that be long if your technique change at all you have to go to work with fixer juice we operate on the exception that we go to for most of the problems go so you know easily we

collect our evidence if you obtain a company all those sorts of things we have processes in place on how we actually do our outputs so that we'd ever if you have to go to port and you can specify those we operate on the assumption to report negative work nine percent ammonia

ah I don't have a clock back up and smuggle it out this is it might be I'm not an expert on it but the iPhone Astra has backup which kind of makes it easier to be access to that file backup it's a little bit easier to fit the data a lot of Android you can connect with the loop circuit license to get images but the trick you're going to find with Android as one you have a driver that particular phone and do the forensics will support the gun seconds are up on newer cars it's usually not an issue but if you get to order phones or older models there may not be drivers available in order to

any other questions all right um thank you for your time start with the delicate work I apologize will John do better next time [Applause]