Hello Reader,
Here are my notes from Day 2 of PFIC, this is the last of these posts as I didn't attend the day 3 session in depth as snow was falling and clients were calling. I'll be updating these posts with the slides from the relevant lectures so you can see those as well.
Day 2 - PFIC Notes
This is a talk on writing python code for web app testing rather than popular tools.
Recommends head first programming to learn python
Showing how to build a buffer overflow script in python
All of these scripts and example app is on a dropbox shared folder for those that want to try this at home.
This isn't your normal DFIR presentation, very infosec focused. The audience seems interested though so that's good.
Showing how web apps store data and failed logins from buffer overflow attempts within a user authentication form. this is not a python tutorial but rather a show of whats capable and what it leaves behind.
Edited some code and talked about what things effect and change.
Moved on to XSS attacks
Talking about the python function htmlspecialchars to prevent xss
Moving on to how to use python to do testing and getting over common hurdles. First hurdle is basic auth
don't store credentials within code, retrieve it via prompts to the user on execution
All functions covered so far as built in python libs.
He is now going into Scapy which is a 'full featured library for preforming network operations'. Packet capture/manipulation/creation/replay lib
Live demonstration of capture, reviewing and replaying traffic with scapy
Showing the built in fuzzer within scapy
Showing how to spoof the traffic in your fuzzing with scapy
Ending now and discussing the benefits of python. Not saying not to use off the shelf tools but if you want to be able to be successful and understand more getting lower level with python directly will allow you to be more versatile.
Here are my notes from Day 2 of PFIC, this is the last of these posts as I didn't attend the day 3 session in depth as snow was falling and clients were calling. I'll be updating these posts with the slides from the relevant lectures so you can see those as well.
Day 2 - PFIC Notes
8:00am Session - Ira Winkler ' The Cyber Jungle'
Ira is very personable, I like his show as well as him
Two good stories so far, the first promoting infragard (Ira is the president of his local infragard) the other involving credit card fraud.
Why does the media ask dumb questions on tv? The guest gives them dumb questions to ask
Executives don't want to disclose and notify, this is something I also have found
Crypto Locker story time
pointing out fud about crypto locker thats out there, bad media report showing a technical person saying that firewalls, service packs and good passwords could have prevented crypto locker.
another good story, this one about a reporters experience with some attorneys
Reporters are under pressure to get multiple stories a day. This can hurt parties who can't handle the media well and be able to provide and answer questions quickly.
An interesting story about how ankle bracelets are being removed and being used to commit crimes in las vegas. Then placing their bracelet back on when they get back to their house. The bracelets are not being monitored actively and the process is broken.
Downtown streetlights in las vegas will be able to monitor audio in the future. In the near future the officers will be able to monitor this audio via iOS apps on their phones. Ira is wondering if anyone properly securing this channel, applying ISO 27k or another security standard, to prevent non LEO from listening.
Make sure to listen to cyberjungleradio.com for his weekly podcast. Link to site: http://thecyberjungle.com/index.php
Two good stories so far, the first promoting infragard (Ira is the president of his local infragard) the other involving credit card fraud.
Why does the media ask dumb questions on tv? The guest gives them dumb questions to ask
Executives don't want to disclose and notify, this is something I also have found
Crypto Locker story time
pointing out fud about crypto locker thats out there, bad media report showing a technical person saying that firewalls, service packs and good passwords could have prevented crypto locker.
another good story, this one about a reporters experience with some attorneys
Reporters are under pressure to get multiple stories a day. This can hurt parties who can't handle the media well and be able to provide and answer questions quickly.
An interesting story about how ankle bracelets are being removed and being used to commit crimes in las vegas. Then placing their bracelet back on when they get back to their house. The bracelets are not being monitored actively and the process is broken.
Downtown streetlights in las vegas will be able to monitor audio in the future. In the near future the officers will be able to monitor this audio via iOS apps on their phones. Ira is wondering if anyone properly securing this channel, applying ISO 27k or another security standard, to prevent non LEO from listening.
Make sure to listen to cyberjungleradio.com for his weekly podcast. Link to site: http://thecyberjungle.com/index.php
10:00am session Python for web application security testing
This is a talk on writing python code for web app testing rather than popular tools.
Recommends head first programming to learn python
Showing how to build a buffer overflow script in python
All of these scripts and example app is on a dropbox shared folder for those that want to try this at home.
This isn't your normal DFIR presentation, very infosec focused. The audience seems interested though so that's good.
Showing how web apps store data and failed logins from buffer overflow attempts within a user authentication form. this is not a python tutorial but rather a show of whats capable and what it leaves behind.
Edited some code and talked about what things effect and change.
Moved on to XSS attacks
Talking about the python function htmlspecialchars to prevent xss
Moving on to how to use python to do testing and getting over common hurdles. First hurdle is basic auth
don't store credentials within code, retrieve it via prompts to the user on execution
All functions covered so far as built in python libs.
He is now going into Scapy which is a 'full featured library for preforming network operations'. Packet capture/manipulation/creation/replay lib
Live demonstration of capture, reviewing and replaying traffic with scapy
Showing the built in fuzzer within scapy
Showing how to spoof the traffic in your fuzzing with scapy
Ending now and discussing the benefits of python. Not saying not to use off the shelf tools but if you want to be able to be successful and understand more getting lower level with python directly will allow you to be more versatile.
10:30am Session - Me!
It was amazing!
It was wonderful!
Offers of free coffee were given!
I'm writing this before my session but this is how I want it to go.
In reality it went well but i had live demos fail as they are apt to do, event excel was crashing on me. Luckily I added in pre-generated results to move things forward
It was wonderful!
Offers of free coffee were given!
I'm writing this before my session but this is how I want it to go.
In reality it went well but i had live demos fail as they are apt to do, event excel was crashing on me. Luckily I added in pre-generated results to move things forward
11:30am Session - Jake Williams IaaS forensics
IaaS is the acronym that represents most of the cloud virtualized systems we talk about, infrastructure as a service
Get a Incident Response plan and make sure it contains what to do for both your internal and externally hosted assets
You are stuck trusting the hypervisor at some base level
In a commercially hosted cloud you don't have access to the hypervisor (amazon) if you are a privately hosted cloud (your own esx server) you do have access to the hypervisor.
You need to validate that the hypervisor has not been compromised
If the hypervisor has been tampered with you need to collect additional evidence.
Jake has found an esx server where the hypervisor was compromised and thus can no longer say it doesn't happen. If the hypervisor is compromised then the attacker can control physical memory outside of the guest os and guest os artifacts.
There are hypervisor logs that you should be collecting.
This is not typical though, but you should grab the logs to be sure
The vm-support command will output a tgz file with the log and vm inventories that you need
USB over IP devices are seperately logged by the hypervisor versus USB devices physically plugged in
Don't use shared admin accounts if you want easy attribution of admin actions
Introspection isn't easily detected by the attacker and can be normally used to collect data outside of the attackers view
Inband (non hypervisor based actions) are bad because bad guys can easily detect your response effort
You can't do out of band actions on public clouds (amazon) as they don't give you hypervisor access ,so your stuck with traditional live response
Making full disk images of cloud hosts is typically difficult as your bandwidth to the site is your bottleneck.
Amazon and hopefully soon rackspace will write your data to a physical disk and mail it to you
You supply the drive and cables, they charge you $80 per disk, they will accept a shipping label so you can get it via fedex
Accounting records will be provided but they don't do Chain of Custody
The amazon feature mention called 'bulk export' is not meant as a forensic/ir service
A good alternative is to spin up a forensic/ir virtual instance so you can keep the data within the cloud and speed your investigation
Have a dongle restricted software you want to run in the cloud? Use USB over IP
The hardest part of dealing with hosted/cloud hosted systems is making sure the tech is going to follow your procedures and not shut down the system or kill the vm instance
Snapshots are great, memory is better
Public cloud (amazon, etc..) don't allow you to request physical memory out of band from the hypervisor
Public cloud snapshots are disk states but not memory states
If you capture the memory to a network share, make sure you lock down who can access them or else you may have non authorized personnel accessing secrets
You can still do CoC yourself, f-response is a great imaging solution for cloud hosts
If you get compromised public providers like amazon limit their liability in case of a compromise from their end to a refund of that months fees
If you don't want to use f-response FAU is another good tool to use for live cloud imaging, but make sure to put it over an encrypted tunnel
Protect your memory dumps, possibly encrypt them
Out of band imaging is still the best option
HP has internal resources that can out of band image a HP hosted cloud server
The issue is with imaging logical disks in non Vmware clouds is that tools often can't find the end of disk and keep writing forever
test your tools in your cloud for your IR plan to find out which ones fail silently
Hypervisor imaging is as simple as snapshotting
Get a Incident Response plan and make sure it contains what to do for both your internal and externally hosted assets
You are stuck trusting the hypervisor at some base level
In a commercially hosted cloud you don't have access to the hypervisor (amazon) if you are a privately hosted cloud (your own esx server) you do have access to the hypervisor.
You need to validate that the hypervisor has not been compromised
If the hypervisor has been tampered with you need to collect additional evidence.
Jake has found an esx server where the hypervisor was compromised and thus can no longer say it doesn't happen. If the hypervisor is compromised then the attacker can control physical memory outside of the guest os and guest os artifacts.
There are hypervisor logs that you should be collecting.
This is not typical though, but you should grab the logs to be sure
The vm-support command will output a tgz file with the log and vm inventories that you need
USB over IP devices are seperately logged by the hypervisor versus USB devices physically plugged in
Don't use shared admin accounts if you want easy attribution of admin actions
Introspection isn't easily detected by the attacker and can be normally used to collect data outside of the attackers view
Inband (non hypervisor based actions) are bad because bad guys can easily detect your response effort
You can't do out of band actions on public clouds (amazon) as they don't give you hypervisor access ,so your stuck with traditional live response
Making full disk images of cloud hosts is typically difficult as your bandwidth to the site is your bottleneck.
Amazon and hopefully soon rackspace will write your data to a physical disk and mail it to you
You supply the drive and cables, they charge you $80 per disk, they will accept a shipping label so you can get it via fedex
Accounting records will be provided but they don't do Chain of Custody
The amazon feature mention called 'bulk export' is not meant as a forensic/ir service
A good alternative is to spin up a forensic/ir virtual instance so you can keep the data within the cloud and speed your investigation
Have a dongle restricted software you want to run in the cloud? Use USB over IP
The hardest part of dealing with hosted/cloud hosted systems is making sure the tech is going to follow your procedures and not shut down the system or kill the vm instance
Snapshots are great, memory is better
Public cloud (amazon, etc..) don't allow you to request physical memory out of band from the hypervisor
Public cloud snapshots are disk states but not memory states
If you capture the memory to a network share, make sure you lock down who can access them or else you may have non authorized personnel accessing secrets
You can still do CoC yourself, f-response is a great imaging solution for cloud hosts
If you get compromised public providers like amazon limit their liability in case of a compromise from their end to a refund of that months fees
If you don't want to use f-response FAU is another good tool to use for live cloud imaging, but make sure to put it over an encrypted tunnel
Protect your memory dumps, possibly encrypt them
Out of band imaging is still the best option
HP has internal resources that can out of band image a HP hosted cloud server
The issue is with imaging logical disks in non Vmware clouds is that tools often can't find the end of disk and keep writing forever
test your tools in your cloud for your IR plan to find out which ones fail silently
Hypervisor imaging is as simple as snapshotting
1:30pm Session - Memory forensics with Chad Tilbury
I should have go into this session but I was too busy talking to people through lunch. I did see the end and recognized a subset of slides from For 508 but he ended it with a nice preview of Mac and Linux memory forensics.
2:30pm Session - Recovering your costs in ediscovery
Quote from a judge on the fair housing center of southwest michigan v Hunt where the judge chastised a party for turning the litigation into a e-discovery workshop.
Nice review of which ESI costs can be recoverable, this is good information for me to advise my clients when they are not aware this exists.
If you want to recover costs you have to show detail and provide affidavits that explain why it was necessary and how the costs break down.
Don't be vague on invoices and document your work if you want your costs to be recoverable for your client in the event they prevail
Moore v Weinstein - Prevailing party received $36,196, of which e-discovery service provider made up $22,000 of and asking for $40,000
In house work done within parties firm need to have reasonable costs and the work done must justify the rate desired to applied
A fun sidebar about thor and shield and whether working with thor would show the government endorsing a religion.
Interesting, court rulings have come out stating that native productions of documents are not recoverable costs
No cost for hosting, courts still compare data hosting to warehouses holding paper - non recoverable costs
Forensic costs within ediscovery is recoverable, forensic investigation fees of an expert witness are also recoverable separately
Second 'geek break' discussion on how wills would effect 12 regenerations of dr who
Nice review of which ESI costs can be recoverable, this is good information for me to advise my clients when they are not aware this exists.
If you want to recover costs you have to show detail and provide affidavits that explain why it was necessary and how the costs break down.
Don't be vague on invoices and document your work if you want your costs to be recoverable for your client in the event they prevail
Moore v Weinstein - Prevailing party received $36,196, of which e-discovery service provider made up $22,000 of and asking for $40,000
In house work done within parties firm need to have reasonable costs and the work done must justify the rate desired to applied
A fun sidebar about thor and shield and whether working with thor would show the government endorsing a religion.
Interesting, court rulings have come out stating that native productions of documents are not recoverable costs
No cost for hosting, courts still compare data hosting to warehouses holding paper - non recoverable costs
Forensic costs within ediscovery is recoverable, forensic investigation fees of an expert witness are also recoverable separately
Second 'geek break' discussion on how wills would effect 12 regenerations of dr who
