ݺߣ

ݺߣShare a Scribd company logo

Drc security meeting_david

Download as PPTX, PDF
D
dmarques25

This document contains information from a security meeting discussing malware analysis, disaster recovery, security information and event management (SIEM). It provides definitions and discussions around digital forensics, malware, digital evidence. It outlines the challenges of malware analysis and finding malware creators/users due to issues like privacy, reverse engineering, and international cooperation. The document is from a presentation by David Marques on March 16th, 2012 given by the Data Recovery Center in Lisbon, Portugal.

1 of 24
Download to read offline
Security Meeting Malware Analysis, Disaster Recover & SIEM Portugal Suíça Moçambique Angola Austrália Speaker: David Marques 16th March 2012
Data Recover Center Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt History • Foundedin1989 • 1998:DataRecovery • 2006:DigitalForensics •2009:Consulting& Monitoring
Data Recover Center Digital Forensics (Computer Forensics) Definition: Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capableofstoringdigitaldata. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Forensics (Computer Forensics) Applications: Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. Forensics may also feature in the private sector; such as during internal corporate investigations or intrusion investigation (a specialist probe into the nature and extentofanunauthorizednetworkintrusion). Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Malware Definition: Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Malware Predictions2012: • Targeted attacks grow more damaging and complex • Illicit social media scams escalate • Mobile Malware menaces users and organizations • Compromised websites serving malicious contents accelerates • Major sport events draw major cyber attacks • Attacks on Cloud Services inevitable Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence Definition: Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or theoriginalisrequired. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence ACPO Guidelines: Good practice guide for computer based electronicevidence. ACPO – Association of Chief Police Officers (England; Wales; NorthernIreland) 7Safe–www.7safe.com Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence Principle1:Noactiontakenbylawenforcementagenciesor theiragentsshouldchangedataheldon acomputeror storagemediawhichmaysubsequentlyberelieduponin court. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence Principle2:Incircumstanceswherea personfindsit necessarytoaccessoriginaldataheldona computeror on storagemedia,thatpersonmustbecompetenttodosoand beabletogiveevidenceexplainingtherelevanceandthe implicationsoftheiractions. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence Principle3:Anaudittrailor otherrecordofallprocesses appliedtocomputerbasedelectronicevidenceshouldbe createdandpreserved. Anindependentthirdpartyshould beabletoexaminethoseprocessesandachievethesame result. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Digital Evidence Principle4:Thepersoninchargeoftheinvestigation(the caseofficer)hasoverallresponsibilityforensuringthatthe lawandtheseprinciplesareadheredto. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center ACPO vs Malware Principle2:Incircumstanceswherea personfindsit necessarytoaccessoriginaldataheldona computeror on storagemedia,thatpersonmustbecompetenttodosoand beabletogiveevidenceexplainingtherelevanceandthe implicationsoftheiractions. Malware:Eg:RAMCapture Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Trojan Defense Defense: My computer has in fact been used to commit a crime, but I wasn’t the responsible for any of the actions I’m being charged for. My computer might had a Trojan (or other Malware) installed by someone else without my knowledge, andhasbeenusedtocommitacrime. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Trojan Defense 2 Defense: My computer has in fact been used to commit a crime, but I wasn’t the responsible for any of the actions I’m being charged for. My computer might had a Trojan (or other Malware) installed by someone else without my knowledge, and has been used to commit a crime. Even if the Malware was not found on a Forensic Analysis, it could be thattheMalwarewasonlyonRAM. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Evidence Collection Steps: - Non Digital environment - Freeze the crime scene Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Evidence Collection Steps: - Pictures& Stickers - ForensicImage - Hash Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Evidence Manipulation Whatnottodo: -Turndeviceon andboot it -Bootdeviceinanothercomputer -Runantivirus -Openfilesandapplications -Installapplicationsandcopyfilesintoowndevice Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Evidence Manipulation Chain of custody: refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence,physicalorelectronic. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Malware Analysis Why it is so hard to find Malware creators and users? Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Malware Analysis Malware: - Forensic imaging;logs; etc. - Privacyissues - ReverseEngineering - Find evidence of relation between victim and attacker - Find geographiclocation - Cooperationbetweencountries - CoordinationbetweenISP’s - Locateattacker& Evidence Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Malware Analysis Future? Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
Data Recover Center Thanks! Q & A? David Marques dmarques@drc.pt Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt

More Related Content

Drc security meeting_david

  • 1. Security Meeting Malware Analysis, Disaster Recover & SIEM Portugal Suíça Moçambique Angola Austrália Speaker: David Marques 16th March 2012
  • 2. Data Recover Center Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt History • Foundedin1989 • 1998:DataRecovery • 2006:DigitalForensics •2009:Consulting& Monitoring
  • 3. Data Recover Center Digital Forensics (Computer Forensics) Definition: Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capableofstoringdigitaldata. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 4. Data Recover Center Digital Forensics (Computer Forensics) Applications: Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. Forensics may also feature in the private sector; such as during internal corporate investigations or intrusion investigation (a specialist probe into the nature and extentofanunauthorizednetworkintrusion). Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 5. Data Recover Center Malware Definition: Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 6. Data Recover Center Malware Predictions2012: • Targeted attacks grow more damaging and complex • Illicit social media scams escalate • Mobile Malware menaces users and organizations • Compromised websites serving malicious contents accelerates • Major sport events draw major cyber attacks • Attacks on Cloud Services inevitable Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 7. Data Recover Center Digital Evidence Definition: Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or theoriginalisrequired. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 8. Data Recover Center Digital Evidence Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 9. Data Recover Center Digital Evidence ACPO Guidelines: Good practice guide for computer based electronicevidence. ACPO – Association of Chief Police Officers (England; Wales; NorthernIreland) 7Safe–www.7safe.com Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 10. Data Recover Center Digital Evidence Principle1:Noactiontakenbylawenforcementagenciesor theiragentsshouldchangedataheldon acomputeror storagemediawhichmaysubsequentlyberelieduponin court. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 11. Data Recover Center Digital Evidence Principle2:Incircumstanceswherea personfindsit necessarytoaccessoriginaldataheldona computeror on storagemedia,thatpersonmustbecompetenttodosoand beabletogiveevidenceexplainingtherelevanceandthe implicationsoftheiractions. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 12. Data Recover Center Digital Evidence Principle3:Anaudittrailor otherrecordofallprocesses appliedtocomputerbasedelectronicevidenceshouldbe createdandpreserved. Anindependentthirdpartyshould beabletoexaminethoseprocessesandachievethesame result. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 13. Data Recover Center Digital Evidence Principle4:Thepersoninchargeoftheinvestigation(the caseofficer)hasoverallresponsibilityforensuringthatthe lawandtheseprinciplesareadheredto. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 14. Data Recover Center ACPO vs Malware Principle2:Incircumstanceswherea personfindsit necessarytoaccessoriginaldataheldona computeror on storagemedia,thatpersonmustbecompetenttodosoand beabletogiveevidenceexplainingtherelevanceandthe implicationsoftheiractions. Malware:Eg:RAMCapture Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 15. Data Recover Center Trojan Defense Defense: My computer has in fact been used to commit a crime, but I wasn’t the responsible for any of the actions I’m being charged for. My computer might had a Trojan (or other Malware) installed by someone else without my knowledge, andhasbeenusedtocommitacrime. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 16. Data Recover Center Trojan Defense 2 Defense: My computer has in fact been used to commit a crime, but I wasn’t the responsible for any of the actions I’m being charged for. My computer might had a Trojan (or other Malware) installed by someone else without my knowledge, and has been used to commit a crime. Even if the Malware was not found on a Forensic Analysis, it could be thattheMalwarewasonlyonRAM. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 17. Data Recover Center Evidence Collection Steps: - Non Digital environment - Freeze the crime scene Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 18. Data Recover Center Evidence Collection Steps: - Pictures& Stickers - ForensicImage - Hash Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 19. Data Recover Center Evidence Manipulation Whatnottodo: -Turndeviceon andboot it -Bootdeviceinanothercomputer -Runantivirus -Openfilesandapplications -Installapplicationsandcopyfilesintoowndevice Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 20. Data Recover Center Evidence Manipulation Chain of custody: refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence,physicalorelectronic. Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 21. Data Recover Center Malware Analysis Why it is so hard to find Malware creators and users? Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 22. Data Recover Center Malware Analysis Malware: - Forensic imaging;logs; etc. - Privacyissues - ReverseEngineering - Find evidence of relation between victim and attacker - Find geographiclocation - Cooperationbetweencountries - CoordinationbetweenISP’s - Locateattacker& Evidence Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 23. Data Recover Center Malware Analysis Future? Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt
  • 24. Data Recover Center Thanks! Q & A? David Marques dmarques@drc.pt Lisboa Telefone: 707 200 017 E-Mail: geral@drc.pt Website: www.drc.pt