DOCSLIB.ORG

NCDAA Seminar: Digital Forensics AM Session

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
NCDAA Seminar: Digital Forensics AM Session NCDAA Seminar: Digital Forensics AM Session: Understanding the Data Context & Correlation Professor Matthew Miller, PhD University of Nebraska Kearney PM Session: Context & Correlation Shawn Kasal, Digital Forensic Expert 12 Points Technologies LLC Wednesday, October 9, 2019 Embassy Suites Hotel – La Vista Conference Center This page intentionally left blank. Text ~Learning ~ Outcomes INTRODUCTION • DOD • NC4 Cybercop • In-Q-Tel at University of Nebraska Kearney and Omaha • Expert Witness • GM, Ford Motor Company and Daimler Benz What does it take to construct, design and build a work product? A mix of ability, talent and skill is needed to construct and de- construct systems A system is larger and more complex than a computer network GeoPolitics is a system Our diversity, talent & backgrounds Our Team allow us to accomplish what others can not do. Arab Spring Election Reality Winner JP 3-13 • Computer Network Operations (CNO) consist of: • Computer Network Attack (CNA) • Computer Network Defense (CND) • Computer Network Exploitation (CNE) Computer Network Operations (CNO) • Broad term • Military and civilian application • Information is power • More critical decision-based information is digitized and conveyed over an ever- expanding network of computers and other electronic devices • Deliberate actions taken to leverage and optimize these networks to improve human endeavor and enterprise or, in warfare, to gain information superiority and deny the enemy this enabling capability CNO ≈ CNA ≈ CND ≈ CNE • What’s the difference? • Computer Network Operations • Computer Network Attack • Computer Network Defense • Computer Network Exploitation Computer Network Attack (CNA) • Includes actions taken via computer networks to: • Disrupt • Deny • Degrade • Destroy Computer Network Defense(CND) • Includes actions taken via computer networks to: • Protect • Monitor • Analyze • Detect • Respond Computer Network Exploitation(CNE) • Includes enabling actions to: • Gather Intelligence • Exploited Data • From Target or Adversary • Information Systems or Networks Cyber Threat Intelligence Cyberwarfare Digital Forensic Incident Response (DFIR) OSINT Legal Aspects from criminal defense and civil litigation Fall out Growth of Cybersecurity Companies Cyber Threat Focus Cyber Threat Intelligence Real-Time Cyberthreat Mapping Every cyber attack is related to geopolitical conditions Fire Eye CEO Kevin Mandia Google hired Fire Eye to protect against state-sponsored cyber attack. The “dead reality” - every major cyberattack is state condoned. Whoa, slow your roll Rock Starz! Before we can get to the shell-poppin’ ‘make da sexy-time’ (joke) {Borat} hacking adventures that Red/Blue Teams have come to be known for, there is some homework to be done. OSINT A professional Investigator: 1. Intel gathering 2. Identify weakness & potential vulnerability 3. Evaluate exploitability These may be physical, social engineering, logical or a combination. Information is the new exchange commodity and such, there is literally a plethora of information about almost any subject freely available on the Internet or in the Public Domain. What exactly does OSINT mean? OSINT Open-source intelligence (OSINT) is using publicly available sources to collect information (i.e., intelligence) about persons or entities from a wide array of sources including the Internet. OSINT is usually performed during the Reconnaissance phase of hacking and pertinent information collected from this phase is carried over into the network Enumeration phase. Due to the vast amounts of information available to sift through on the Web, attackers must have a clear and defined search framework as well as a wide array of OSINT collection tools to facilitate this task and assist with processing the data; otherwise they risk getting lost in the overwhelming sea of information that has become the Internet. OSINT reconnaissance can be further broken down into the following 5 sub-phases: Phases of the OSINT Process; image courtesy of Chiheb Chebbi Source Identification • Starting point of this initial phase • Attacker identifies potential sources from which information may be gathered • Sources internally documented throughout process • Detailed notes for documentation & reference Data Harvesting • Attacker collects • Attacker harvests • From various available sources Data Processing & Integration • Attacker processes collected information • Seeks actionable intelligence • Identifies targeted information • Integrates Data Analysis • Attacker performs data analysis • Uses a variety of OSINT tools Results Delivery • OSINT Analysis is complete • Findings presented and/or reported to other members of the Red Team Legalese • While performing OSINT is legal, using the OSINT tools & techniques outlined here are intended to be used in conjunction with sanctioned Red Team activities as part of a contracted service & with the permission of the target. • You should always protect yourself with a contract that is signed giving permission to “hack” their organization for the purposes of vulnerability assessment. • NEVER skip this step OSINT TOOLS • Both free & paid OSINT tools available • Using OSINT, you identify information using tools & pull any threads that may lead you to another avenue of investigation • OSINT tools can look at the tech aspect or personal aspect of a person or corporation • Buckle up Google Search & Dorking • You can explore a targeted webpage the old fashioned way - by clicking through link by link by link • But what aren’t you seeing? What are you missing? • With specialized searches you can identify more about the pages on that site, as well as outgoing and incoming links, documents and other files Personal Identifying Information (PID) • Some sites publish compiled PID. PID comes from the data harvested by the ad industry • PID = Name(s), Relatives, address, date of birth, where you lived in the past, work history, income, etc. • Spokeo, Family Tree Now, Pipl, That’s Them, IntelTechniques, ZoomInfo, ZabaSearch, US Search, Snoop Station & Radaris • As a Red Team member, you should regularly run yourself through these tools to minimize your damaging PID footprint Maltego by Paterva • Paid & Free versions that can investigate relationships between people, organizations (businesses) & website infrastructure • Query personal information, social media footprint & interactions, DNS records, WhoIs, IPs, net blocks, search engines, API, corporate data, off shore leaks db, cryptocurrency, affiliations, documents & files • Maltego helps you visualize these relationships in various formats • For the geek in you, it is also possible to manually input data for complex visualizations or to create your own machines Social Media • Social Media sites are full of a wealth of personal information • LinkedIn, Facebook, Twitter, Instagram, Snapchat, Peerlyst, Google+, etc • SM should be one of the first stops for a Red Team • LinkedIn = ScrapedIn Facebook = StalkScan Twitter = GeoChirp, TweetsMap, Creepy for geolocation Tinfoleak for images • Dating sites: Tinder, OKCupid, Match.com, eHarmony, Plenty of Fish, Ashley Madison, Grindr Deep Web • The Deep Web consists of websites that are not regularly indexed • Search engines: PubPeer, Google Scholar, Cornell University’s arXiv.org & Harvard’s Think Tank Search • Main focus: Articles, white papers, studies, research and thesis that publish primarily in academic and professional journals Dark Web • Search Engines: DeepDotWeb, Reddit Deep Web, Reddit DarkNetMarkets, Hidden Wiki, Core.onion (Tor browser) & Tor Scan • Some sites & services on the dark web are invitation only & this can make them hard to find • Network travel pattern analysis from within the Dark Web is the only way to find them • Browsers: Tor, FreeNet, I2P Limited to your Imagination • OSINT is only limited to your imagination • You can use these tools, add others, mix and match and get creative • Tweak your tools and methods to your own needs • More tools are found in Linux - Kali & BlackArch distributions • At the end of your OSINT collection, you should have plenty of information to enumerate in the next phase Phases • Phase 1: Open Source Intelligence • Phase 2b: Host Recon: Host, host Reconnaissance controls & logging, host controls bypass, tools transfer, short term persistence, host privilege • Phase 2: Enumeration escalation, credential theft • Phase 2a: External Recon: Passive • Phase 2c: Internal Recon: Network, information gathering, active domain, asset, admin, network information gathering, port security scanning, service enumeration, network/application vulnerability identification Phases • Social Engineering Attacks: Spear • Maintaining Dominance: Gain phishing domain admin, gain asset admin, sensitive asset access, exfiltrate sensitive data, long-term • Privilege escalation persistence • Lateral Movement: Evade network • Exfiltration techniques security controls, network exploitation, elevate network privileges • Evasion & obfuscation techniques • Attacking Linux/Unix environments • Virtualization attacks Loose Lips & all that Jazz In the air on the land and sea: CYBER! After this Course, You Should Be Able To: • Explain the origins of forensic science • Explain the difference between scientific conclusions & legal decision-making • Explain the role of digital forensics & its relationship to traditional forensic science, traditional science & appropriate use of scientific methods • Outline a range of situations where digital forensics may be applicable • Identify & explain at least 3 current issues in
Load more

Recommended publications
  • CHAPTER 2: Getting to Know Your Targets LEARN MORE BUY
    Sample Chapter CHAPTER 2: Getting to Know Your Targets LEARN MORE BUY NOW ©2019 McGraw-Hill All-In-One_PE / CompTIA PenTest+® Certification Practice Exams / Jonathan Ammerman / 090-7 / Chapter 2 CHAPTER Getting to Know 2 Your Targets This chapter includes questions on the following topics: • Information gathering in a given scenario using appropriate techniques • A comparison of various tools and their use cases Following the pre-engagement meetings, the definition of the scope and rules of engagement, and the signing of contracts, a penetration tester is free to begin the next phase of an assessment: information gathering. It is generally accepted that there are two types of information gather- ing: passive and active. Passive information gathering consists of any collection of intelligence by means that are effectively invisible to the target in question; active information gathering will be discussed in Chapters 3 and 4. By its most basic definition, passive information gathering is the collection of information from publicly available sources; this could mean queries in any given search engine, harvesting information from public DNS servers, or searching for the target organization’s networks with tools such as Shodan or theharvester. To define it more precisely, passive information gathering is any collection of intelligence that may be useful in a penetration test without directly connecting or identifying oneself to the target of the penetration test. Although it is not terribly common to find a quick path to an exploitable process or service via passive information gathering, the data collected is still of importance to the overall penetration test; organizations often are unaware of just how wide their digital footprint is and will be amazed at the information you can find without them being aware.
    [Show full text]
  • OSINT Handbook September 2020
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 Aleksandra Bielska Noa Rebecca Kurz, Yves Baumgartner, Vytenis Benetis 2 Foreword I am delighted to share with you the 2020 edition of the OSINT Tools and Resources Handbook. Once again, the Handbook has been revised and updated to reflect the evolution of this discipline, and the many strategic, operational and technical challenges OSINT practitioners have to grapple with. Given the speed of change on the web, some might question the wisdom of pulling together such a resource. What’s wrong with the Top 10 tools, or the Top 100? There are only so many resources one can bookmark after all. Such arguments are not without merit. My fear, however, is that they are also shortsighted. I offer four reasons why. To begin, a shortlist betrays the widening spectrum of OSINT practice. Whereas OSINT was once the preserve of analysts working in national security, it now embraces a growing class of professionals in fields as diverse as journalism, cybersecurity, investment research, crisis management and human rights. A limited toolkit can never satisfy all of these constituencies. Second, a good OSINT practitioner is someone who is comfortable working with different tools, sources and collection strategies. The temptation toward narrow specialisation in OSINT is one that has to be resisted. Why? Because no research task is ever as tidy as the customer’s requirements are likely to suggest. Third, is the inevitable realisation that good tool awareness is equivalent to good source awareness. Indeed, the right tool can determine whether you harvest the right information.
    [Show full text]
  • Maltego Transforms for Threatqtm
    MALTEGO TRANSFORMS FOR THREATQ MALTEGO TRANSFORMS FOR THREATQTM Maltego Transforms for ThreatQTM enables users of Maltego to query ThreatQ for information on elements that could be part of an investigation. These transforms extend the visibility of Maltego to include threat intelligence stored within ThreatQ, including commercial, industry, private, OSINT (open source intelligence) and internal sources, so you can visualize and discover additional data relationships. Since ThreatQ is commonly deployed in private networks that are not directly accessible over the Internet, Maltego Transforms for ThreatQ are delivered WHAT IS MALTEGO? as ‘local transforms’ that can be installed locally on systems running the Maltego (by Paterva) is an Maltego client software. This ensures that connectivity between the client and interactive data mining tool the ThreatQ instance is direct and does not risk sending data to public that renders directed graphs for transform servers. link analysis. The tool is used in online investigations for finding INTEGRATION BENEFITS: relationships between pieces of information from various • Query information from all Threat Library sources quickly to find additional sources located on the Internet. context to support an investigation • Correlate internal and external threat data to accelerate online WHAT IS THREATQ? investigations ThreatQ is a threat intelligence platform (TIP) that enables users • Find relationships between threats, adversaries, indicators and incidents to build a custom Threat Library™ • Easily perform
    [Show full text]
  • The Extension and Customisation of the Maltego Data-Mining Environment Into an Anti-Phishing System
    The Extension and Customisation of the Maltego Data-Mining Environment into an Anti-Phishing System Submitted in partial fulfilment of the requirements of the degree of Bachelor of Science (Honours) of Rhodes University Matthew Marx Grahamstown, South Africa November 2, 2014 Contents 1 Introduction 1 1.1 Problem Statement and Research Goals . 1 1.2 Scope . 2 1.3 Document Structure . 3 2 Background 4 2.1 History and background . 4 2.1.1 Phishing and Pharming . 5 2.1.2 The Anatomy of a phishing attack . 5 2.2 The cost of a phishing attack . 7 2.2.1 Phishing and Data Breaches . 8 2.3 Online Identity . 9 2.3.1 ICANN . 9 2.3.2 WHOIS . 10 2.3.3 Certificate Authorities . 12 2.3.3.1 The role of Certificate Authorities in Phishing and Anti- Phishing . 12 2.3.4 PhishTank . 14 1 CONTENTS 2 2.4 Types of phishing attacks . 14 2.4.1 Clone Phishing . 14 2.4.2 Tabnabbing . 16 2.4.3 Spear Phishing . 16 2.5 Anti-Phishing methodologies . 17 2.5.1 Anti-Phishing Collectives . 18 2.5.1.1 Anti-Phishing Work Group . 18 2.5.1.2 US-CERT . 18 2.5.1.3 PhishTank . 19 2.5.2 Website take down . 19 2.5.3 Browser Anti-Phishing mechanisms . 19 2.5.3.1 Anti-Phishing Heuristics . 20 2.5.3.2 Phishing Blacklists . 20 2.5.4 Email Filtering and Content Filtering . 20 2.6 Abuse Reporting Mechanisms . 21 2.6.1 Blacklisting services . 21 2.6.2 Placing an abuse report with domain registrar .
    [Show full text]
  • 3.3 Maltego Transforms for Danish OSINT-Sources
    Enhancing identification and reporting of potentially harmful public data on Danish organizations by Rasmus Lau Petersen Supervisor: Christian Damsgaard Jensen M.Sc.Eng.IT master thesis DTU Compute Technical University of Denmark Kongens Lyngby, August 1st, 2017 Summary (English) This master thesis aims to aid and enhance the current processes used to identify and report in Open Source Intelligence (OSINT) on Danish organizations. This is data generated by the daily work of the organization and its employees when they act and communicate. The data is collected by public registries or commercial 3rd parties, which can provide a valuable source of information for an attacker intending to target organizations. Security professionals are aware that such data exist and report on it as part of their services, but collecting it effectively is difficult. Relating it to the domain of the organizations acting under the different Danish legislation and standards can be difficult. The organizations themselves may have a good overview of the latter, but lack overview and awareness of OSINT and the attack scenarios this enables. We attempt to enhance the process of identification and reporting in two ways: By developing plug-ins (“transforms”) for the widely used OSINT-gathering program Maltego by Paterva and by developing a framework for inputting findings from Maltego to generate a report categorizing findings and relating them to common OSINT-enabled attack scenarios and applicable legislation, standards and guidelines. We examine current methodologies for conducting vulnerability- and penetration test assessments, standards, guidelines and Danish legislation pertaining to OSINT-data and identify and analyze a dozen common OSINT-enabled attack scenarios.
    [Show full text]
  • An Introduction to Open Source Intelligence
    An introduction to Open Source Intelligence www.8arc.com Introduction www.8arc.com Open Source Intel: what is it? where to find it? and why do we need it? www.8arc.com Data Information Intelligence www.8arc.com Closed vs Open Source Closed Open • Internal Corporate Information • Accounts • Intelligence Database • Whois • Risk Management Documents • Google (search engines) • Partner (Agency) Data • Public facing documents • Profiles: current + previous • Website Analytics (Internal) • News Channels • BI Data • Peer to Peer Forum • Financial Data • Website Analytics (External) • Intellectual Property • Social Media • CRMs • Company Information • HR records • Personnel details www.8arc.com “When I took office, only high energy physicists had ever heard of what is called the World Wide Web, now even my cat has it’s own page.” Bill Clinton, ex American President www.8arc.com We’re always looking for entities and links! The more we have the clearer the picture www.8arc.com Investigation Environment www.8arc.com Things to consider? • Stand alone network/machine • Dedicated broadband – dynamic IP address (mobile broadband) • Back up broadband & network/machine • Standard software – anti virus, firewall, IDS / IPS/ Operating System, browser etc. • Specialist software – OSINT / intelligence / evidential software & capture tools • Online legends • Visualisation Tools • Build a jumpkit www.8arc.com Also consider… • Define a set file structure • Set a file naming convention • Keep an investigation log / workbook • Investigation Plan • Risk assessment
    [Show full text]
  • Open Source Intelligence Tools and Resources Handbook
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 0 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2018 Aleksandra Bielska Natalie Anderson, Vytenis Benetis, Cristina Viehman 1 Foreword I am delighted to share the latest version of our OSINT Tools and Resources Handbook. This version is almost three times the size of the last public release in 2016. It reflects the changing intelligence needs of our clients in both the public and private sector, as well as the many areas we have been active in over the past two years. No list of OSINT tools is perfect, nor is it likely to be complete. Indeed, such is the pace of change that by the time you read this document some of our suggestions may have been surpassed or have ceased to exist. Regrettably, today's tool might also be tomorrow's vulnerability. To counter the first problem, we have included a list of toolkits provided by other OSINT practitioners working to improve the state-of-the-art. To manage the second, we recommend that all tools be tested in a secure computing environment whenever possible. Work on the next iteration of the Handbook has already begun. For now, I hope this version contributes to improving your efficiency and effectiveness as a researcher, analyst, investigator or general OSINT practitioner. Please feel free to share it with your colleagues. To encourage its broadest possible dissemination, we are publishing the Handbook under a Creative Commons CC BY License. I would like to end by thanking my colleagues at i-intelligence for their efforts in compiling the Handbook.
    [Show full text]