Getting started in digital forensics

Getting started in digital forensics

SUBTITLE'S INFO:

Language: English

Type: Robot

Number of phrases: 1481

Number of words: 10564

Number of symbols: 46647

DOWNLOAD SUBTITLES:

DOWNLOAD AUDIO AND VIDEO:

SUBTITLES:

Subtitles generated by robot
00:00
hello everyone thanks for joining us on today's webinar getting started in digital forensics my name is hunter Reed and I will be helping moderate today's webinar we will introduce key tron in just a few moments but first I would like to explain a few tips to make this webinar more interactive and engaging experience as listeners you are on listen-only mode this means that you're muted but you're more than welcome to ask questions at any time by typing them using the control panels question feature will save some time at the end
00:30
to have key tron answer your questions and if we don't get to all of them we'll make sure to personally follow up by emailing you an answer if you're looking for CPE as this webinar may qualify after the webinar is over you will receive a follow-up email that will include the email address and form to fill out in order to receive a completion certificate you will then be able to send that certificate to your certifying body remember to check with your certifying body to check if you meet requirements they can vary the follow-up email will also include a copy
01:01
of this webinar and the webinar slides now let's move on and introduce our speakers we're excited to have Keith Ron back with us today to teach us a little bit about digital forensics kietryn has done a few webinars with us in the past and always offers valuable contemporary insight into the world of cybersecurity kietryn Evans is regularly engaged in training consulting penetration testing and Incident Response for government fortune 50 in small businesses in addition to being the lead author of the best-selling book chained exploits
01:32
advanced hacking attacks from start to finish you will see kietryn on major news outlets such as CNN Fox News and others on a regular basis as a feature to analysts concerning cybersecurity events and issues for years kietryn has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development kietryn also provides world-class training for the top training organizations in the industry Jeff Peters is the product manager for
02:03
InfoSec training including both InfoSec flex boot camps and our new intro sex skills on-demand training platform it will be helping me moderate today's webinar today there will be diving into digital forensics and how it relates to careers education and training in cybersecurity Jeff why don't you go ahead and get us started hey thanks hunter great to be here and great to have Keith Tran back to discuss digital forensics with us key tronic thought we could start by giving an overview of the different
02:38
types of forensics out there you know here at InfoSec you teach a few different courses on different types of forensics such as computer mobile network forensics so maybe we could briefly explain the different types of digital forensics and and how they relate to when you're conducting investigations yeah absolutely Jeff thanks a lot so um computer forensics is really wore a lot of it all started when we when we think about digital forensics if you look at the things listed here a computer was
03:09
you know one of the first things at least on the consumer side that we had access to you know not everybody had a net a network or access to network 40 years ago but there were you know computers that were main parts of main friends and things like that so when we look at computer forensics that's really the the foundation of it all and where it all started I think the very first computer forensics program was actually written by an IRS special agent Department of Treasury special
03:39
agent that was trying to prosecute a some tax case with some big corporation right so it was a white-collar thing so computer forensics is worth started and nowadays when we say computer forensics we're mostly talking about dealing with memory and hard drive so is there any evidence or any data on the hard drive that can prove a case or help us prove a case and is there anything in memory on that computer that was left over from some recent attack or whatever the case may be that can help us prove the case
04:11
when we look at mobile forensics that's definitely a more recent innovation because if you think about it once upon a time if you look at your mobile phone like your cell phone when phones first came out they were primarily used for what you know we used to just talk on them right like if you think about how you utilize your phone we primarily use them to talk and then we migrate it from that too we do everything but talk on it like I rarely actually have a conversation on my cell
04:44
phone now and I think most of us fall in that same category we do social media we check emails and we play games on these things more than we do anything else and another important thing we do on them is actually look for directions and use it for GPS so long story short is these mobile devices phones and things like that are just little treasure trove of digital evidence so this is what this has a lot to do with the huge uptick in the relevance and important of mobile forensics so when we say mobile
05:15
forensics we're primarily talking about cell phones iPads and tablets and things like that Network forensics is really you look at you're doing forensics on how all these other things communicate right so cell phones communicate via towers and in packets computers communicate over networks for your packets so network forensics is really looking at the communication between devices and getting data and you know relevant evidence out of packets and that type thing as related to how stuff
05:46
is communicating and it's really you know another area that's taken a lot more importance as of recent because again the more and more that we innovate and how we compute and do these things digitally it changes where a lot of the evidence is for example a lot of the child exploitation cases that I that I've assisted on in the last five or six years there's been a ton of evidence that's been gathered from network traffic and primarily because if you look at the bad guys that are doing this stuff a lot of them have wised up to the
06:18
fact that oh we should be streaming this stuff we shouldn't be downloading it and having evidence on our hard drive we should just stream it so you know whereas there used to be a treasure trove of evidence on hard drives we don't see as much of it anymore on it and we have definitely having to turn the memory and network to get that and cloud forensics is is obviously the newest because there's a whole lot of questions and we'll get into some of that when we talk about some of the cloud stuff later where you know there's questions about
06:48
responsibility you know how much access is Amazon or Microsoft or Google gonna allow you into that cloud environment to do proper forensics what this proper forensics even mean anymore right because cloud services have actually changed a lot of that you know we don't have physical access to our computing devices anymore because a lot of those computing devices are really virtualized Amazon servers or virtualized you know Microsoft has your servers so that's kind of the differences between the four yeah and
07:19
then for those listening out there who are you know maybe thinking about getting into a career in digital forensics are they likely to need to know all four of these different areas or is it a team of people that's investigating and you kind of specialize in one area one if you could explain that a little yeah generally you start off with you know with one specific area and just because of how integrated our environments are now you will end up touching on account all of them at some point but they're definitely people that specialize in certain areas you know
07:51
like for example I started off my career as far as doing anything forensics what computer forensics and then slowly moving into mobile as that became a thing and moved into network and now I do probably more cloud you know I would say cloud and memory forensics combined and I'd do just about anything else so I think you could jump in and even either one of these a lot of people that I know that are that are experts in different areas a lot of them kind of started with
08:20
I guess you could say mobile forensics especially if you look at like law enforcement because a lot of the people the detectives and people like that in law enforcement their first forensics thing that they had to do was get something off somebody's cell phone and again that's because a lot of the evidence nowadays and crimes end up starting on cell phones mm-hmm and is there one type of forensics that you enjoy doing the most oh I would probably say that I think
08:54
combining memory and network I think I probably you know have like a hybrid the combination of those two is probably my favorite because of the fact that you know the mobile is kind of getting to the point to where if you don't have a way to get past some of the the vendor protection there's a limit as to how much you can get so combining network and cloud and memory is kind of where I focus a lot of my time now because there's been several cases where we've been able to get at iCloud accounts for
09:25
example and get evidence out of there that we couldn't get off the phone because we couldn't get around the lock on the phone but you know getting into iCloud sometimes proves to be easier than for example trying to get around the app or protection on the physical device so it's just you know I find myself kind of gravitating more towards the network and the cloud side and also that's where a lot of my work lies - mmhmm yeah so moving on to the forensics process on the next slide just wondering
09:58
me if you could kind of walk through I guess as I understand it as far as I understand that this is you know the basic forensics process that you know works for a lot of investigations so could you maybe explain you know each of those steps and you know what someone who has a career in digital forensics will actually do like as they go through an investigation yeah sure so generally if specifically if you're let's take computer for example if you're approaching a site or something like that there are some steps that you go
10:29
through where you have to make sure that you're not investigating or you're trying to grab evidence it's not you know gonna be relevant to the case but you have to balance it out with you know you don't want to exclude something that later turns out to be extremely relevant as well so the first thing is identification being able to identify what needs to be investigated or gathered or tagged for example next you want to go through a process of preserving data and when we talk about digital evidence that's can be a very
10:59
tough thing to do because when we look at hard drives and the the risk of static electricity and all these other things that you can physically do you know to disrupt or destroy evidence on these devices you have to get into things like understanding what electrostatic bags and you know bags that don't allow wireless communications in and out of them like Faraday bags and things like that because if a suspect knows that their device is being seized it might do something like try to wipe it you know
11:31
there's all kinds of different things like that that you have to consider as far as preservation proper evidence collection you know when you collect it to put it somewhere to be analyzed later that's part of preservation as well making sure that the evidence that you're collecting is actually done in a forensic Lee sound way you know I can't tell you the number of cases that I've been pulled into either halfway through it or last minute where they really messed up the preservation part and a lot of the evidence is completely not
12:02
usable or it definitely wouldn't be admissible in court because of how they collected it or how they preserved it so those two those first two steps I would even say that the preservation and doing proper and forensically sound preservation and gathering is more important than just about anything else in these phases because if you don't preserve it or you don't maintain the forensics integrity everything else that you do after that is kinda useless you know you could be the best analyzer and
12:32
the best harddrive analyst person in the world but if you're working with data or forensics evidence that may have been tainted because the integrity wasn't maintained on it then it's gonna be useless so I always tell people when I teach you know gathering evidence and things like that is the only thing you can't come back from is if you mess up the collection and preservation because if you mess that up everything else from that point on it's gonna be flawed if you go to the analysis part for example and you miss something or you don't find
13:05
something or you can always go back and find it you know whereas with the preservation part you can't undo that mistake that you made to make that evidence inadmissible extracting the information is basically you want to make sure you follow proper method god you for that as well and you have to be careful because with the powerful tools that are out there now we always say what great power comes great responsibility a couple of things can happen and I've seen this you can set your extraction tools to be extremely sensitive because
13:37
you don't want to miss any little smidgen of evidence but also doing that could make the extraction take exponentially longer right so you might say I want to I got Jeff's hard drive and I want to get every image thumbnail that's bigger than one KB well if you set your tool that s setting for one it's gonna take you know probably ten times as long it is if you use what something that we would commonly use like 12 KB or something like that and then on top of that you're gonna have sometimes so much digital evidence now
14:08
that you're never gonna be able to get through all of it and analyze it so that's another part that's important as far as you're actually getting through a case and then of course the analysis you want that always to be non biased and then probably the second most important part almost as important is not messing up the collection and preservation is the reporting because if you do everything else right and your report doesn't clearly reflect your findings in a clear and concise way then it might be
14:38
viewed upon as bad or frowned upon and even may not be admissible because you know a judge might decide that your report has no relevance to the case because of how poorly you wrote the report and I've actually seen it happen on a few cases so all of these steps are important and you know just getting them kind of nailed down and getting hands-on what the process is is what really what makes it makes you good at it yeah now does every forensics investigation pretty much follow these same steps and I'm thinking back on the last slide
15:10
we're talking about you know mobile and cloud and different types of forensics so obviously over your career has has there been a shift at all with these new technologies into the way you conduct forensics or maybe with more emphasis and different steps or more challenges for some of those steps yeah we still followed the same process here but what ends up happening a lot of times is when you come into cases now let's say because you can't we can't even just say forensics anymore or digital forensics because the truth of the matter is is
15:40
there's digital forensics for cases where we might be trying to prosecute someone right like if it's a child exploitation and human trafficking murder or something like that then we're trying to prosecute someone but what we also have to consider is a lot of the investigations are hinged on you know supporting incident response there's been a data breach or something like that and most of our customers that we do incident response for their you know if you were to rate on a prioritization table how high they prioritize being
16:12
able prosecute somebody it's usually really really low down the prioritization chart like they're really just trying to do business continuity and be able to get back to operational State find out root cause make sure it doesn't happen again those things so your forensics approach might not change but your forensics focus changes right so that would a lot of times affect how much time you spend on each one of these phases so I don't think the phases change that much but I think your focus in each phase changes
16:43
based on what type of case it is because we always want to maintain integrity of evidence and and that type of thing but when we're looking at a hack or data breach you know a lot of times you've that's kind of out the window because you might not even have any integrity to maintain for example if if it's a cloud server that's been compromised you can't really get a forensic ly sound image of that hard drive anymore because you don't have physical access to it so the best you have is like a logical image and a memory dump and these things are
17:16
since that VM is constantly running you know you have a hard drive that you gotta have a hard time being able to verify integrity on so it's really just at that point investigating for the sake of finding out root cause and eventually eradicating whatever that threat is mm-hmm yeah and you've been teaching these courses for a while so just wondering like as you teach is there any one of those steps that students have the most difficulty you know trying to you know either understand conceptually or the actual process of it yeah I think
17:46
the because ironically you know the collecting like where you do the preservation you know you take images and stuff like that well that's the most critical that's also the easiest right because once you remember these these two or three critical things that you never ever ever do in the two or three things that you always have to do once you get that down to a process you're not likely to mess that up but the part where I find that students have the most challenges in the analysis because there's so much to analyze and it's and
18:17
when we're doing analysis you have these tools it's going to spit out all this information for you but you still need considerable amount of skills to process that information and make it into a report that's useful to someone right so because a lot of its really really technical and to take that and convert it into something that someone that's not technical can understand I find that a lot of students have challenges with that part either they're not technical enough to get it or they're so technical that they're not good at you know putting together that non-technical
18:48
report for case findings and that type thing mm-hmm yeah so so moving on to some more general forensics career kind of discussion this is you know one of the slides that I was most interested to hear your thoughts on today because you know is whenever I go to you know like local chapter events for you know InfoSec professionals or you know people just send us questions or you know you know want to know more stuff about InfoSec careers that's always one of the big questions we get is you know how do I get started in this career how do I
19:20
change this career or how do how does it fit into the overall picture so I wonder if you could you know touch on that a little bit you know maybe different types of forensics careers out there whether they're entry-level or mid-level or you know kind of how they fit into the overall picture and overall teams that are out there yeah absolutely so - what I've seen at least in the industry you know most people that are doing forensics come from one of two backgrounds either they were doing pen
19:50
testing or some other cybersecurity role and they work their way into doing something forensics or they come from a law enforcement background so they already have investigative skills some analysis skills that they just translate it into doings you know computer forensics or cyber forensics so I definitely think that those are the two primary places that we see people coming from as far as a background but I also don't want to limit it I think you can come from anywhere and do it but as we said the bottom there skills
20:22
do carry over it but also I want to point out that you know to be a good pen tester or a good hacker you have to have some decent forensic skills because a big part of pin testing right is covering tracks a big part of hacking is covering tracks to where you want to make it to where forensics is hard you know and if you don't understand how forensics work then you are not going to be very good at making forensics difficult four seasons' forensics person so I think that to be a good pen tester
20:52
you need you know forensic skills and I think really to be a good forensics person in this day and age you have to have some pretty significant skills and understanding of how attacks work and pen testing and that type thing because essentially if you're going to be doing forensics as part of an incident response effort is part of a threat hunting effort for example you know you're gonna need to have an understanding of how these threat actors operate otherwise you don't even really know what you're looking at like you can
21:23
collect the evidence but you don't know what you're looking at you can't piece it together so I think it goes hand in hand and I don't want to limit people to think that you really have to come from one to the other it's just that wherever you start you're gonna always have to round it out to really be good at whichever one of these careers you pick on forensics is no different you know you want to have other skills I mean the day and age of where you can make a living just doing hard drive forensics I think those days are numbered so you're
21:54
gonna definitely have to step it up some mm-hmm yeah and curious about entry-level roles in forensics I mean you talk about how you need a good amount of experience different things and how those skills fit into a lot of different areas but for example if you're hiring you know someone may be a little more more new to the field for a forensics role I mean I guess one are there roles out there that are more entry-level and two you know what would be kind of a minimum that that you would be looking for for someone to go into one of those roles yeah I think the entry-level stuff
22:26
starts a lot with just doing collections is what we call it in the in the industry where you know if I hired somebody new your primary job is probably going to be to go out and either do collections or assist with collections because as we said that's the most critical part but it's also the easiest to master because it's you know if you're doing hard drive collections or mobile device collections once you remember that always plug in a hardware write blocker between that device and your imaging machine and get those steps down it's really hard to mess that up
22:58
so as an entry-level person you're gonna get really really good at doing collections you know just collecting the evidence and bringing it back to the lab for the more seasoned people to do the examination and the analyst type work and then as you get comfortable with collections and you understand that you know there's opportunity for you to assist what the analyst you know with the people to an incident response and stuff like that and eventually move into those roles so and I think anyone could literally go and if you got the right
23:29
tools you could start from nothing and get pretty good at collections you know in a very short amount of time so I think that's a good entry point for people if you know nothing else yeah that's perfect I was actually just about to ask you that you know if someone's listening and that they really want to get started in forensics obviously you know they could take one of your courses which we'll talk about in a minute but you mentioned different tools that are there like free open source tools that someone can go use to get started and you know kind of get their feet wet with
24:00
this kind of stuff or do they have to use paid tools you talked a little what absolutely you can definitely get pretty good with some of the free tools are some of the ones we like is autopsy it's a good free open-source tool that you can go out and download and use for free there's one call for most that we'd like to use our beta out of hard drive images and things like that and these are tools that we that we still use even though we spend lots of money on tools you know paid for tools we
24:32
still use a lot of open source tools in our practice just because they're they're the best at doing some things so definitely to start with you want to have autopsy foremost there's a tool called scalpel you know for network forensics there's a tool that that we always use called network miner Wireshark you definitely want to have that volatility you want to have in your docket for memory forensics there's also tool called dump it that we use actually do a memory dump you know
25:02
off of a machine to be able to do memory forensics so those are some like the key open source or free things that you can go get in the start with right away mmhmm yeah so moving on to the next slide I just wanted to touch base a little bit about you know your course that you actually teach obviously as you mentioned before you teach a few different forensics related courses so can you give the listeners just a sense of what a boot camp is like and you know typical day and the kinds of things that they would learn in in one of those
25:33
courses yes so we you know there's a couple of us that teach this course from time to time and the thing is is generally what we do is we start off the first day dealing with a lot of the legal stuff just to kind of get that out of the way because it's it's very not hands-on it's not technical but it's something that's important that we have to kind of get out there so we start off the first day talking about legal stuff and then we move into chain of custody where you get to see what chain of custody forms look like and I even
26:05
handout you evidence hard drives and things like that and you have to document that and start a chain of custody for the evidence that I'm handing over to you so students actually get you know hands-on experience for life taking photos of evidence documenting what they have you know putting cereals and stuff like that in need in the chain of custody documents and you walk away with chain of custody templates which is a which is a good thing because you have something to actually start with and then we quickly move right into the technical depth of it you know you will
26:37
actually take an image of a hard drive and then you'll analyze an image and then we'll move later in the week probably the mid day to say our you know late Tuesday afternoon into doing some memory forensics to where you can get hands on that and then we move into Network forensics and then we always do these kind of capture the flag type you know you can work on it in the evening if you want types of exercises where you take the things that you learned during the day and you you know try to solve
27:10
kind of real-world problems forensics problems with those skills that you gain throughout the day so we create you know peek at files and traffic files and memory forensics or or memory images and hard drive images that you get to play with it to see if you can answer questions and things like that so we make it very real world and very hands-on and we and the Flex Center is kind of like our central point for all that because all the course where all of the pre-recorded videos and everything like that is right there in the Flex Center so you don't have to worry about
27:42
losing anything you know losing a book or anything like that because all of that stuff is provided digitally right inside Flex here and that makes it useful for students because some people will come to class and they'll say hey you know I can't come back at six because I got to take the kids to dance or whatever but I'm gonna come work on this at 8:30 tonight and you know they have that flexibility because now it's all you know right here in Flex yeah yeah perfect so we're gonna go on to the
28:15
Q&A portion shortly but before that we're gonna have a live forensics demo from kee Tran so I know that's that's been a big hit in some of the previous webinars that you've done with us so I guess key Tran could you give us a brief explanation of each of these potential demos and then Hunter will launch a pulse let the viewers out there can vote on which one they like to see today yeah absolutely so the cloud forensics you know I've actually got a few virtual machines running inside a cloud
28:46
environment standing by and I'll just show how you we're able to actually get a memory dump off that machine that's in the cloud and then find something malicious in it and actually what I'll do is I'll attack the machine first you know this so that there is something malicious on it and then we'll extract the memory dump and use volatility to pull that malicious binary out of memory and let you see how we can take it and you know prove that it's malicious based on the fact that we
29:17
pulled it right out of memory and this is useful for things like root kits and stuff that you get your traditional tools your virus scanners and things like that just can't find all right and then the network forensics are kind of the same logic here except we will take a packet capture you know traffic and we will pull something malicious out of the traffic and that's kind of how you can see how that works because a lot of times in environments hackers are good at covering their tracks so they will wipe stuff off the hard drive and make sure that there's nothing left there but
29:49
if you have those packets a lot of times you can get what it is you're looking from just from the packets so that's kind of the primary differences between the two there and you know we can we're allowing people to vote oh noes yep it's it's pretty close right now it's about 50/50 so I'm gonna give you guys just a few more seconds to finish voting on the poll here yeah and while we wait for people to vote maybe you could explain some of the
30:25
other types of exercises that they might do in over the over a course maybe besides these two is there any other interesting demos or hands-on stuff that they get to try yeah it's actually even though it's a forensics course one of the things that they will get to do is you will get to do some attack stuff because part of the goal of this is you kind of have to do some attack stuff to know what the attacks look like and to know kind of how to to look for it and
30:57
what to look for you know whether you're doing memory hard drive or whatever the case may be so we do you do actually learn about basic exploitation now we don't spend a lot of time on it like we would in a ethical hacking course but you will absolutely run some exploits like you'll be exploiting yourselves so that you can investigate yourselves because we've we found out that's really one of the best ways to learn how to investigate a taxes is be part of creating those attacks so you
31:28
definitely do some interesting things like that as well right and it looks like the cloud forensics is the winner so Kieran you want to go ahead and take it away yeah so I'm gonna just share my screen here are you ready for me to take over that yeah go for it all right so basically what we have here is this is just a collie virtual machine or collie environment that
32:04
we're gonna be doing the attack from alright and I'll make the attack quick because you want to focus on the forensics part and this will be the the 2012 r2 server here that we will be actually attacking right so one of the challenges that's new for cloud that we've not really had to deal with a lot before is if there is an attack going on on this server you can't walk into Amazon or walk into Microsoft Azure and say we would like to take a physical memory dump of this server because this
32:36
server really doesn't exist in terms of being a physical device you know even in your traditional data centers you could go into that data center and at least plug in the net rack or even image the entire you know that entire cluster if you needed to do that whereas now when you look at the cloud side you don't have that capability but one of the most important things and you know we're kinda we kind of have a strong Incident Response data breach kind of focus on this particular demonstration is if you go into a breach situation one of the
33:08
first things that you have to remember and we teach this in class is something called the order of volatility which means you always want to collect the most volatile evidence first and by volatile we mean evidence that's most likely to either a change or not be there anymore and you know the the number one place that is is memory so you want to be able to get whatever's in memory out first because whatever is on the hard drive is likely to still be there and even if they erase it then you know we have
33:40
forensics techniques to recover it but when you look at memory once that machine shuts down whatever was in memory is gone forever there's no magic to get it back or anything like that so we're gonna show like how in a cloud environment the server which is 103 is gonna get attacked here we're gonna do a memory dump and show you how we can extract that a memory of the malicious thing that is the attack that we're doing here so the first thing an attacker might do is scan that server which I think is 103
34:11
and you know find vulnerabilities in it or look for services in this particular case we would they'd spend a lot of time doing reconnaissance and enumeration on each one of these services to see if they can map that to a vulnerability I'm just gonna pretend we've done that process alright and now we've kind of narrowed our focus down to the service that's running on port 8081 for example we see that it says it might be black ice we'll do a little bit
34:42
deeper probe on it would a version probe scan and find that it's actually not black ice and keep in mind this particular you know service that we're interacting with all of this interaction these scans this is generating evidence too there are things in memory that are related to these port scans as well you know that you can pull out so we see that it's running that service a thing that an attacker might do is now that they know the service they might go out
35:12
to the internet and quickly look for vulnerabilities related to that service so just showing you how easy this can be it's something I can spell Google well and I'm just gonna paste that right out of the the in map output there as you can see in map told us this so we're just going to literally copy that and paste it right into Google and just add
35:56
the word vulnerabilities to the end of it and as you can see from that there are several vulnerabilities that come back you know now all related you know to the rosetta service right so what we're gonna do is search inside our exploit framework for that we can see there are several exploits so now we can go ahead and load our exploit framework and we're gonna key on just that vulnerability now if I were doing you
36:26
know network forensics I would probably have you know Wireshark and/or Splunk or something running on the victim side because we would be focusing on packets and the traffic that's about to be generated but what we're going to be looking at now is what happens in memory you know when this particular attack runs how it works that type of thing just from a memory forensics perspective all right so again if we search for that term that we found Rosetta on the internet we can we'll
36:57
clearly see that there are you know exploits in here for and we're gonna load that I forgot the little mime database but we're good without it for now all right so we're going to use that and you know I don't want anybody to get caught up on the exploit here you know trying to let go find it or something like that because the truth of the matter is is there's always going to be vulnerabilities for stuff you know there's always going to be zero days so
37:47
there's really let's try it again there's always going to be vulnerabilities out there that we can you know exploit and then we'll set our target or actually this machine i think is 102 that's 104 and then our target and then the port that the service is running on so I mean you know just that quickly and keep in mind it could be a lot quicker I was because I was actually getting
38:52
faffing is there and I was explaining it as I'm going but a real attacker would do wouldn't go as slow as I was going because they're not trying to go at a speed that you can see it they're just trying to get it done so we're in there now and we can do things like take screenshots you know completely on that machine you know we can drop to a command shell and then do commands let's frame Jeff here cuz we all know he's like the top hacker in the world so he's probably responsible for this so we've created an
39:26
account named Jeff you know on the system and you do all kinds of other stuff but now the key to that is if we go now to the victim so let's say we're the victim we are in the middle of a data breach we got called and one of the first things I'm gonna tell my guys to do is you got to get a memory dump right away because whatever the attackers doing is happening in memory if they're extracting stuff it's in memory if they're writing stuff to the hard drive there's evidence of that in memory whatever they're doing programs run in memory so whatever they're doing to it
39:57
there's going to be pieces of that or evidence of it in memory so I'm gonna use dump it here to get a memory dump and it's simply you know rights to whatever the contents of memory is right out to a file and I've got it configured to write it to the desktop here so that we don't have to you know go get it from somewhere else or something like that and then what we're going to do is we're gonna analyze that particular memory dump which is right here what volatility now I'm gonna name it
40:30
something other than this super long name that it came up with for it just so that I don't have to type this over again we'll just call it Jeff hack since you know we know Jeff's the one that did the hack and then from there I'm going to open a command prompt and have volatility simply view on that particular image there so let's make
40:58
this a little bit bigger and make this bigger just in case you guys have small screens out there just make it a little bit more aesthetic all right so if I run volatility you know like so and you know what let's rename that too because that's a long name so we're gonna rename volatility to
41:49
just vol dot exe or something like that it's doesn't take up so much screen space all right so if I'm on volatility against that Jeff you know that dump there we tell it that's a file and you know we can also like if we wanted to if we didn't know what the operating system was you can actually run something called image scan against it and it will tell you what the operating system is now we don't really have to do that we can just do - that's
42:23
profile equals and we know what it is and then we can test it by seeing if we can do a PS list which back list you know processors it doesn't like the profile so let's just let's do this and find out all right let it catch up with us here all right there we go
43:34
it's led to me type again now so this process iterates over all of memory and one thing you got to be careful of is if it were a like a a big memory dump like if it were like a 16 or 32 gig memory dump this process would take much much longer to actually work there so you know you would have to kind of tell it that and give it time to finish now this one's taken a little bit of time because it again this is a I
44:06
think a eight gig done so it's going to take it about two or three minutes here to finish up the process of identifying for us what the profile is you you now if you're in a cloud environment you know again understand this is this is one of the primary ways that you're gonna have to do memory dumps you know you won't be able to to go and physically plug into it or any of that stuff that we're used to doing because this is kind of how you'd have to do it
44:54
you know you'd have to have a tool like this or if you're a big organization with lots of money you would have you could have you know most of the forensic suites that we have out there have these memory agents that you can run on the devices and they will actually go out and you know do the scan for you and tell you how to get the dump and that type thing the key to that dough is you already have these tools or these suites running before you actually need to do a memory grab you know you and having to
45:26
come in after the fact and do it actually makes it take a little bit longer all right so we're just we just have to kind of wait on this to finish here well we do have a few we could potentially get to well we're waiting if it's gonna take a couple minutes yeah go for it yeah so Laurie she was asking about security clearances and and if anything
45:56
like that is required for some of these positions and and if so you know what level would would be needed um if you're working in the government they're gonna require a clearance you know to you know if you're gonna be working in an area that's either deals with secret or top secret information or something like that but you can definitely have a successful career in this field without ever having the clearance like you don't
46:27
have to have a clearance to do this kind of work it's just that if you're gonna do it in a government facility most of them are gonna require that you have a clearance so that's the answer to that yeah and what about specific certifications like I know I know for example the DoD has there there are certain requirements for four different certifications are there any forensic certifications that fit into that or just certifications in general that that you as a someone who's hiring for these
46:57
positions would be looking for yeah I know they're trying to get CHF eye on that 8570 list but I'm not I'm not familiar with a lot of forensics specific certifications one other thing about forensic certifications is a lot of the certs are vendor specific right for example in case has their suite of in case certifications and you know ftk has their access data certifications and those sorts of mostly you know specific to those specific you know tool sets of
47:28
products that you're using but there's not a lot of vendor neutral forensic certs that are that are on the 8570 required list mm-hmm and we've had a couple of chimed in asking about salary you know obviously that varies widely depending on position and location or but just wonder if you have any thoughts you could share around you know salary for different types of positions oh sure sure oh it depends on what kind
47:59
forensics you're doing you know if you're calling yourself just a forensics person and you're doing just forensics you know you're not gonna be making what we would call top in you know concise acuity salaries there but if you're doing forensics and that's one of your core skills you can definitely use that you know as a way to increase your value in an organization but if you're just doing like for example hard drive
48:30
forensics you know you can look to make anywhere from some of the low-end stuff I've seen starts as low as like seventy thousand a year but then I've seen some also go up to you know over a hundred thousand a year as entry-level and it really depends on what the requirements are and what it is they're wanting you to do I know there was one particular person that I mentored and she was you
49:02
know really new to the field she didn't have any real experience or anything like that but she ended up getting a job paying I think like a hundred and sixty thousand a year as a entry-level forensics person but you know she was actually doing it for a large law firm so she was took the role took on the role of being the forensics person for a large law firm and she was responsible
49:32
for gathering all their information and that type of thing so that ended up being a different situation I guess you could say all right so this image not yeah so Kevin here key commented that there's a typo it says PS lit instead of PS list oh yeah thanks Kevin yeah told you see my biggest problem in forensics is my spelling you know that's definitely gonna be the crux of it so all PS list does is it just shows you
50:05
it's the same as if you went to a machine and you type you want to task manager' and looked at running processes keep in mind we're doing this to a machine that we don't have access to all we have now is a memory dump so we look we're doing this kind of post-mortem you know after we've went away from the machine and that type thing but we can still get a good list of running processes and that type thing and what I'm gonna show you here in just a second is how we can not only see running processes but we can see you know which
50:36
processes are child's or children as I should say of other processes now obviously right away we can see that you know something this looks a little weird and there might be a few other processes and what's important is let's look at these from a child standpoint so we'll do that by doing something called PS tree and what PS tree does for is it is not only what we see the processes but we see their relationships to other processes and that will be a lot that
51:07
will help us a lot as far as indicating you know what's actually going on and what spawn that weird process because we know that we don't have any legitimate processes named slq r ck x dot exe or whatever that string was so what PS tree only forces let us kinda historically see where that process gat launched from like in other words what launched it or who launched it and that can be very useful for figuring out what we're gonna do now once we see that in this tree
51:39
view here we're gonna extract that binary right out of memory remember we're pretending now we don't have access to the physical machine we just got a memory dump but this process that I was talking about this guy right here right that's the one that we're not sure about we can see that it's got a pit of three 996 all right three 996 is its pit so we'll need to remember that but we can also see that it's not its own
52:10
process it's running as a child of W scripts and then W script was launched by HFS dot exe so what is hfx dot exe well it turns out that is the actual web server the sky here that was exploited or attacked so we could even from a memory dump perspective kinda formed some hypothesis that since this rogue process is running as a grandchild of this parent process that we know about that's probably the
52:42
service that was exploited and you might want to check it to see if there's any missing patches or whatever the case may be not a real sweet part of this is we can now basically tell volatility that we want to actually do a dump of just that process not of everything but just that process and we can dump that process right out of this memory dump here you know in other words we don't know anything about it but we know we want to dump it out now what I would
53:13
caution you guys on when doing this particular thing is keep in mind this is a rogue process it is a malicious process so if this is a real environment and you're dumping a malicious process what you don't want to do is dump this process on to a server that that you don't want malicious stuff to be running on so again what power comes responsibility so I'm going to go ahead and show you how to do it and this will be the end of our kind of our demo here I'm gonna do proc bomb which is a volatility plugin I'm gonna tell it dash
53:45
D and I'm gonna have it dump it right to let's just create a folder on the desktop name we'll call it Jeff stuff or something like that right and we're gonna have volatility dump that malicious binary right there so the directory is gonna be Jeff stuff and the process that we don't want to dump is the malicious one and the one that we thinks malicious which is three
54:20
996 all right so we run that and it'll take volatility a minute to carve it out so it'll carve it out and it'll tell us hey we did it and we wrote it out to the directory on the desktop named Jeff stuff and we'll be able to that at that point go in either a execute that binary to see what it does which I don't recommend that if you're not in a specific malware reverse engineering sandbox environment or what I'm gonna do is we'll upload it to virustotal and you'll see that by are so tells us that
54:56
absolutely that process is bad now there are some other stuff that we can look at for example there's a plugin that I was going to show you call come in or connect scan that will literally show you that any connections let's actually do that you know coming from this thing is actually coming from that binary and then while that's running we'll go look at the binary that we extracted so
55:30
if we check the desktop and look into Jeff's stuff folder lo and behold we have now this binary in there now again this is very dangerous if here if you're not in a sandbox environment because you don't know what it is you just extract it but I'm just going to go to virustotal and upload that binary because virustotal is basically a combination of like 50 different top AV vendors that have their engines accessible and we're just going to load that binary right out
56:03
of there or that executable and what we'll find is virustotal will tell us like hey this is what we think it is you know and based on that you can see definitely as it scans it it's going to turn out that most of them say it's something malicious now what I want to show you what Khan scan is you can clearly see that what Khan scan there are actually established connections based on that malicious process for example if we look
56:33
at all the ones that set established about three of those which show up as being that specific process that we were just looking at you know the weird one that had the name of you know a bunch of letters and characters so you can see connections related you know to that process as well and we could even specify that pit and basically ask Follette ility are there any connections based on just that pit now we can clearly see a connection out to the bad guy here on port 8080 but there's also
57:05
some stuff on port 8081 which is actually where the command shell went across so while that's done let's go back and see what virustotal had to tell us and as you can see here it did you know it's red all over the place so they clearly all say it's really you know it's bad red means bad now if you look on this list and you see your AV or Hipps product saying that it's green then that might be of a little bit of concern for example we can see the Panda
57:37
says it's fine Malwarebytes says it's fine but i'm telling you for sure it's not fine because we just put it there so but if you can see all the other ones like mcafee and and some of these others here they all said it's bad and that's how we can take a machine we not sure what's going on with it we can clearly see from that memory dump that something's going on we were able to extract the process put it on a safe environment to see that it's bad and that's the demo awesome
58:10
yeah I think we have time just real quick maybe take one or two questions before we wrap up so let me just peek through here see if there's any ones that stand out so yes yeah yeah kind of related to the demo that you just showed us we have one from Kelvin he was asking can attackers do or use anything to thwart the use of these memory dumping tech tactics yeah there are some things that they do so so one of the big things now is something called foul less malware that's fil e is
58:42
s malware where instead of actually putting you know punched in binary or functioning piece of code they just manipulate the things that Windows already has in memory and use those things to do whatever it is they need to do and that is a common thing now and that's much much harder to detect with the memory dump but you can still detect it you just have to to know what threads and what handles to look for in memory as far as how DS built-in windows api's are being manipulated and used but it's
59:12
much harder for sure yeah I see we have a few other questions we'll probably just take one more quick but if you did submit a question we can definitely follow up with you via email after after the webinar is over so the last question we'll take here is someone's you know says I don't really have a lot of experience in the field or actually they say they have no experience whatsoever and you know looking at your demo and seeing what you're talking about it says it sounds like it's primarily for those who are already doing some form of IT
59:44
related work so if someone has you know basically absolutely zero experience in IT is there any recommendations you have for them no to get started if they have an end goal of being involved in forensics and you have a timeline of how long it could take to kind of go from zero to two a job yeah well definitely you want to if you have no IT experience right that's something different like you want to jump into a plus net plus security plus network plus things like that to kind of
01:00:14
get yourself acclimated to IT definitely I don't recommend someone come from no IT experience at all into forensics but you know if you have some IT experience I think that the transition to forensics is not that big of a curve at all so you know if you're new to IT in general go start looking at the A+ syllabus look at the network plus the security plus syllabus and even if you don't take a class just go and study those subject areas to where you get comfortable with
01:00:44
it set up a wireless network at home like do basic tech stuff to get yourself in IT before you try to jump right into forensics I definitely recommend coming into forensics out of with no IT experience at all I mean people have done it but it's a much much bigger learning curve all right and that'll do it for today's webinar we're out of time so thank you key Tran for joining us and thank you to everyone else you uh submitted questions and participated along as we've mentioned earlier you can
01:01:15
watch for a recording in your email coming soon along with us there any CPE certificates if you need them and a copy of the slides and all that stuff if you'd like more information about digital forensics right away feel free to check out our website InfoSec institute comm or if you'd like to speak with someone about digital forensics courses you can call the number there on the screen there will be a short survey that should appear on your screen if you appreciate it if you take a few minutes just to fill that out because that helps
01:01:46
us provide you with better webinars going forward in the future and and and meeting your needs if you have any other questions feel free to direct them to info at InfoSec Institute comm and we'll be sure to get back to you soon have a great rest of your day

DOWNLOAD SUBTITLES: