Incident Response Incident Response for Cheapskatesfor Cheapskates

Lee BrotherstonLee Brotherston

Let's define anLet's define an

IncidentIncident

Where can we Where can we

Improve?Improve?

HijackHijack Integrate with Integrate with

ExistingExistingprocessesprocesses

Roles &Roles &ResponsibilitiesResponsibilities

Determine theDetermine the

RulesRulesof engagementof engagement

LeverageLeverage existing existing

toolstools

Relationships andRelationships and

PoliticsPolitics

SIEM'lessSIEM'lessIntelligenceIntelligence

Live systemLive systemForensicsForensics

SniperSniperForensicsForensics

Memory Analysis withMemory Analysis with

VolatilityVolatility

The Sleuth Kit +The Sleuth Kit +

AutopsyAutopsy

But... Encase & hardwareBut... Encase & hardware

WriteWriteBlocker?Blocker?

Oxford SemiconductorOxford Semiconductor

OXUF922 Bridge ChipOXUF922 Bridge Chip

Oxford SemiconductorOxford Semiconductor

OXUF922 Bridge ChipOXUF922 Bridge Chip

AgereAgereFW801FW801AgereAgereFW801FW801

FlashFlashSSTSST

39VF10039VF100

FlashFlashSSTSST

39VF10039VF100

RAMRAMIDTIDT

71V016SA71V016SA

RAMRAMIDTIDT

71V016SA71V016SA

FirewireFirewireFirewireFirewire

USBUSBUSBUSB IDEIDEIDEIDE

Write Blocker DiagramWrite Blocker Diagram

ArmArmProcessorProcessor

OXUF922 Bridge ChipOXUF922 Bridge Chip

DMADMA1394 / USB / 1394 / USB / UART / IDE / UART / IDE / SerialSerial

QueueQueueManagerManager

RAMRAM ControlControl

Hardware Write BlockersHardware Write Blockers

Run Software!Run Software!

Attribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahonAttribution: Brad McMahon

Taking an image withTaking an image with

dc3dd / dddc3dd / dd

# parted /mnt/usbdsk/target0_img.dd # parted /mnt/usbdsk/target0_img.dd GNU Parted 2.3GNU Parted 2.3Using /mnt/usbdsk/target0_img.ddUsing /mnt/usbdsk/target0_img.ddWelcome to GNU Parted! Type 'help' to view a list of commands.Welcome to GNU Parted! Type 'help' to view a list of commands.(parted) unit(parted) unitUnit? [compact]? B Unit? [compact]? B (parted) print (parted) print Model: (file)Model: (file)Disk /mnt/usbdsk/target0_img.dd: 500107862016BDisk /mnt/usbdsk/target0_img.dd: 500107862016BSector size (logical/physical): 512B/512BSector size (logical/physical): 512B/512BPartition Table: msdosPartition Table: msdos

Number Start End Size Type FileNumber Start End Size Type File 1 1048576B 210763775B 209715200B primary ntfs1 1048576B 210763775B 209715200B primary ntfs 2 210763776B 107586662399B 107375898624B primary ntfs2 210763776B 107586662399B 107375898624B primary ntfs 3 107586662400B 479341645311B 371754982912B primary ntfs3 107586662400B 479341645311B 371754982912B primary ntfs 4 479341645312B 500103450111B 20761804800B primary diag4 479341645312B 500103450111B 20761804800B primary diag

(parted) quit(parted) quit

# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/# mount -o loop,ro,offset=210763776 /mnt/usbdsk/target0_img.dd /mnt/image/

# ls /mnt/image/# ls /mnt/image/pagefile.sys Program Files System Volumepagefile.sys Program Files System VolumeInformation Documents and Settings PerfLogsInformation Documents and Settings PerfLogsProgram Files (x86) Recovery UsersProgram Files (x86) Recovery UsersProgramData $Recycle.BinProgramData $Recycle.BinWindowsWindows

What about virtualisedWhat about virtualised

Environments?Environments?

Free Forensics ToolsFree Forensics Tools

vs Encasevs Encase

Data & File AnalysisData & File Analysis

ToolsTools

For starters tryFor starters try

C.A.IN.EC.A.IN.E(Linux LiveCD)(Linux LiveCD)

RemediationRemediationCleanup/Shutdown/ProsecuteCleanup/Shutdown/Prosecute

Lessons Learned. Let'sLessons Learned. Let's

Market!Market!

Thank youThank youAny Questions?Any Questions?

Lee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - lee@nerds.org.uklee@nerds.org.ukLee Brotherston - Lee Brotherston - @leEb_public - @leEb_public - lee@nerds.org.uklee@nerds.org.uk

Some Things I MentionedSome Things I Mentioned● Flow-tools: Flow-tools: http://www.splintered.net/sw/flow-http://www.splintered.net/sw/flow-tools/tools/

● Sleuthkit & Autopsy: Sleuthkit & Autopsy: http://www.sleuthkit.org/http://www.sleuthkit.org/

● Volatility: Volatility: https://www.volatilesystems.com/defaulthttps://www.volatilesystems.com/default/volatility/volatility

● C.A.IN.E:C.A.IN.E:

http://www.caine-live.net/http://www.caine-live.net/

● Dc3dd: Dc3dd: http://sourceforge.net/projects/dc3dd/http://sourceforge.net/projects/dc3dd/