Enterprise Forensics 101
2 likes1,821 views
This document provides an overview of enterprise forensics from Mona Arkhipova of QIWI. It discusses common use cases for enterprise forensics including internal incidents, external incidents, and fraud investigations. It then outlines the steps of a typical live response including collecting system details, network information, processes, logs and disk/memory images. Specific collection for Linux and Windows systems is also covered. Forensic toolkits for both operating systems are listed and carving techniques are discussed for deep diving non-volatile evidence through timelines, file filtering and malware analysis. The document concludes with an overview of QIWI's forensic lab and tools used as well as considerations for reporting.
Enterprise Forensics 101
- 1. Mona Arkhipova QIWI BigSister Enterprise Forensics 101
- 2. #whoami • Head of united monitoring/lead security expert at QIWI • Past: Security analyst at GE Capital, independent security consultant at fintech, systems/network administrator
- 3. Enterprise forensics: use cases • Internal incidents • User behavior related (suspicious attachments etc) • Internal fraud • External incidents • Online banking • Targeted malware And special thanks to Red Team for mastering our forensics skills ;)
- 4. Let’s get this party started • Write down all the non-technical incident details • Possibility of live response? • Grab all the checksums/hardware details/images/etc • Inspect all the related systems (if applicable)
- 5. Live Response: common • Date and time, ntp settings • Network: connections, active network software, routing • Running processes and services • Scheduled jobs • Users and groups • Logs, active memory and swap full dump • Disk image
- 6. Live Response: Linux-specific • Kernel modules • File systems • All executable files • dmesg
- 7. Live Response: Windows-specific • DLLs, setupapi.log • Mapped drives, opened shares • Prefetch • Policies • RAW registry files (hives) • Autorun, NTUSER.DAT from all accounts
- 8. Live Response: toolkit Linux: • Built-in: nc, netstat, lsof, ps, strace, strings, dmesg, dd and so on Windows: • MIR-ROR script/Sysinternals suite • Mandiant’s memoryze Specific tools: WinFE, Sleuthkit, AccessData FTK imager, EnCase Forensic Imager/LinEn, Magnet RAM Capture, ewfacquire/libewf
- 9. Imaging • Prepare a proper drive for imaging. Wipe&format if needed • You may use some special tools during Live Response or just a Linux/WinFE live CD • Never. Mount. Original. Evidence. Partitions.
- 10. Carving: deep dive into non-volatile evidences • Before you begin: • Prepare image/device write protection • Write up all inputs: devices S/N, acquired images or files checksums, device or image “healthcheck” status
- 11. Carving: basics • Mount all evidences copy in RO mode (OSFMount, FTK Imager, mount –o ro) • Capture all the hierarchy • Create timelines (fls, regtime.pl, PowerForensics) • Collect all executables and run them against known file filter or any similar tool
- 12. Carving: so…what? Sorry guys. No universal recipe here. • Take one more look at your initial incident details • Review log files (or utilize Splunk/ELK for drill down) • Review all accounts related information • Review timelines, files created in incident timeframe • Put all KFF non-filtered files to malwr/virustotal or standalone cuckoo server • Review all the found scripts
- 13. Carving: keeping all the memories
- 14. Carving: internal investigations and human factor The most common interesting files if there’s a ”suspicious user” in place - IM logs - Browsers history and cache - Recently opened files and downloads - Devices history - Remote control tools artefacts
- 15. Carving: Enterprise insides • Export all the related information from your security tools (IDS/IPS, firewall logs, proxies, SIEM records, DLP, AV alerts) • Sometimes the initial point of compromise is not what you’ve suspected • If you do not see something strange in your SIEM – it is not a reason to relax.
- 17. QIWI Forensic Lab: Toolkit • AccessData: Forensic Toolkit v6, PRTK, Imager, Registry viewer, KFF. • R-studio • IDA Pro • Redline • And a lot of other small Santa’s helpers (log2timeline, srch_strings, Volatility framework, OSFMount, EDD, Nirsoft tools etc)
- 18. Reporting. I know you hate it. Common information: • Case summary (brief overview what’s happened and when) • Serial numbers, make, model etc. • All the preparation steps Investigation process: • Tools used, start and end dates • Detailed information about process – artifacts, pictures, documents… Conclusion
- 19. Questions? Mona Arkhipova QIWI infrastructure security Head of united monitoring team (SOC+OPS) mona@qiwi.com mona.sax m0na_sax