(fios#03) 5. 죽은 서비스도 살려내는 포렌식 기술

The 3rd FIOS(F-INSIGHT OPEN SEMINAR)

Resurrect the System and Services: 죽은 서비스도 살리는 포렌식 기술

ykei

@ykx100

forensicinsight.org

목차

1. Cold or Hot Evidence

2. Resurrection

3. Chain of Custody

forensicinsight.org

Cold or Hot?

forensicinsight.org

Cold or Hot Evidence

Top Class Forensic Scientist

forensicinsight.org


One of Top Class Forensic Scientist

forensicinsight.org


Meet

The bruised body

One of Top Class Forensic Scientist

with breath

forensicinsight.org


U Remember?

Specialized at dead body

forensicinsight.org


forensicinsight.org


Now He got the cold body

as his wish

Is it fair?

forensicinsight.org


Digital Evidence?

forensicinsight.org


Have you ever like this?

forensicinsight.org


Same Cold EV.

forensicinsight.org


But,Benefit of live forensics

Short way to extract

Quick response

Seize the live data

forensicinsight.org


Increased size, complexity of Data

Hard to find evidence

forensicinsight.org


Still, u

wanna kill

the hot &

take the

cold body

for analysis?

forensicinsight.org


Stop pulling the plug

forensicinsight.org


Boooooring… I know that, already

forensicinsight.org


Someone killing the hot body

Mistake

Wrong decision

Bad Situation

forensicinsight.org


If someone give you the shit,

forensicinsight.org

Resurrection

forensicinsight.org

Resurrection

Unified Log Monitor System

Pulled the plug and Imaging the Disks

Can you export the all log from DB?

Where is the start point?

Here is shit…

forensicinsight.org

Resurrection

Resurrect System

forensicinsight.org

Resurrection

Virtual mount disk image files

forensicinsight.org

Resurrection

Check the Kernel version information

forensicinsight.org

Resurrection

Check Filesystem information

forensicinsight.org

Resurrection

Make the VM with mounted disk

forensicinsight.org

Resurrection

Now boot,

Meet the kernel panic

So I present this now :)

forensicinsight.org

Resurrection

Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]

forensicinsight.org

Resurrection

Physical Driver to Virtual [ /etc/modprobe.conf ]

forensicinsight.org

Resurrection

Check disk order [ fdisk –l ]

forensicinsight.org

Resurrection

Check original mount point [ /etc/fstab ]

forensicinsight.org

Resurrection

Fix the raid bug [ /etc/grub.conf ]

forensicinsight.org

Resurrection

Grub information update [ grub-install ]

forensicinsight.org

Resurrection

Update Kernel information [ mkinitrd ]

forensicinsight.org

Resurrection

Still No Heartbeat of Service

forensicinsight.org

Resurrection

Resurrect Service

forensicinsight.org

Resurrection

Adjust network environment [ ifconfig ]

forensicinsight.org

Resurrection

Recovery DB files

forensicinsight.org

Resurrection

May be It is not good idea…

forensicinsight.org

Resurrection

But, u can cheating the history :) [ history ]

forensicinsight.org

Resurrection

Now service is warmed

forensicinsight.org

Resurrection

Maybe, u need to PW recovery from DB

forensicinsight.org

Resurrection

But, Is resurrection break the chain?

forensicinsight.org

Chain of Custody

forensicinsight.org

Chain of Custody

No, Chain is fine

forensicinsight.org

Chain of Custody

When is preservation done,

CoC is Start.

forensicinsight.org

Chain of Custody

Don’t scared, Do hash

For Compatibility : MD5

For Security : SHA256(higher)

forensicinsight.org

Chain of Custody

But be prepared, always

Guide

Tools for your Environment

Storage for backup

And Hiring the Real Expert

Don’t deceived by crook

forensicinsight.org

Now, Cold or Hot?

forensicinsight.org

Conclusion

Virtual Technology is awesome

I can resurrect the cold media

Sometimes, It is very efficient method

forensicinsight.org

Conclusion

Please reconsidering the pull the plug

Do not send the shit to me

If you give me the shit,I can over that, too.

forensicinsight.org

Conclusion

Hello, digital media necromancer!

Have u a question?