WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+ WHAT IS INCIDENT RESPONSE An organized approach to addressing and managing the aftermath of a security breach or attack. STEPS TO SUCCESS PURPOSE OF INCIDENT RESPONSE Preparation Detection & Analysis Root cause analysis Recovery Prevent further damage Eradication Did an incident occur Containment User Awareness Reimage the affected workstation Post Incident Activity Lessons Learned PREPARATION User Awareness & Training SOCIAL ENGINEERING DETECTION & ANALYSIS You can’t Respond if you can’t Detect Logs – Hopefully a SIEM Workstation \ Server Firewall IDS \ IPS Internet Proxy \ Filter MSSP \ 3rd Party End Users \ Customers You! CONTAINMENT Prevent Further Damage NAC ACL Firewall Switch Software Application Whitelisting AV ERADICATION Root Cause Analysis Make Sure Problem Does Not Come Back! RECOVERY Known Good Configuration Reimage Device Restore from Backup POST INCIDENT ACTIVITY Lessons Learned What Worked What Didn’t Work New Policy \ Procedures Change to existing Controls Implement New Controls WINDOWS BASED FORENSIC TOOLKIT TABLEAU WRITE BLOCKER SATA\IDE DIGITAL CAMERA Document state of evidence Inventory items seized CHAIN OF CUSTODY FORM Log all transfer of evidence EVIDENCE BAGS MISC. ACCESSDATA FTK IMAGER Physical\Logical Hard Drive Acquisition ACCESSDATA FTK IMAGER Live Memory Acquisition Encryption Keys, Passwords, Running Processes IMDISK VIRTUAL DISK DRIVER Mount evidence files as Read Only Hard Drive REGRIPPER Registry Analysis SAM Security Software System NTUser HELIX Free Version still available Best of Both Worlds Run applications from within Windows Boot from Linux Live CD MALWAREBYTES ANTI-MALWARE EXIFTOOL - PHOTOS EXIFTOOL – OFFICE DOCUMENTS PROCMON INTERNET EVIDENCE FINDER FORENSIC SOFTWARE SUITE FORENSICS AND THE STATE OF MICHIGAN PROFESSIONAL INVESTIGATOR LICENSURE ACT As of May 28, 2008, all computer forensic firms must have a Private Investigators license to practice in Michigan. Any person engaged in the collection of electronic evidence and/or engaged for the presentation electronic evidence in a Michigan court must have a valid Private Investigators License REFERENCES & THANKS NIST 800-61 NIST 800-86 http://www.cert.org/csirts/Creating-A-CSIRT.html http://www.ussecurityawareness.org/highres/incidentresponse.html http://windowsir.blogspot.com http://www.ericjhuber.com Chris Pogue – Trustwave SpiderLabs http://blog.spiderlabs.com (Sniper Forensics) NEXT TIME