Usage Aspects Techniques For Enterprise Forensics Data Analytics

Tools

Damir Delija damir.delija@insig2.eu

"Nove sigurnosne ugroze i kritična

nacionalna infrastruktura“ Zagreb, 12-13.09.2013

Idea

• How to analyze data in internal database and data repositories of forensic tool trough external data analytics tools

• Or generalization – access to hidden data in the forensic tools, especially enterprise class forensic tools

– (this is not a new problem, something very similar happened in network management ages ago )

To explore situation

• To try what can be collected from commercial forensic tools

– Encase v7, ftk as forensic tools

– Infozoom as data presentation and analyses tool

• also some open source add-ons

Evolution Of Enterprise Forensics Capabilities

disk images Forensic image of remote physical or logical disks, acquired and preserved on forensics workstation

memory images Forensic image of whole RAM of remote node and memory images of processes, acquired and preserved on

forensics workstation

snapshot data Presenting current structure of users, processes, dll, open files, network information (ARP table, DNS table,

routing table)

• Each step brings huge amount of data and metadata into forensic tool • this data is not worthless even if it is not directly related to first line of examination

Forensic tools example: EnCase v7

• Encase v7

– store data in cahces files and evidence file

• cache processed data – usually sqlite

• evidence original data

– Other forensic tools store data in db or various files (ftk, xways, ufed ...)

– data is there, what you can see is what forensic tool allows you

• or a huge effort to do a workaround to access data

Forensics Components Encase Enterprise approach

WAN

Main Office B

Branch Office

Target Node Target Node Target Node

Main Office A

Target Node

Target Node

Target Node

SAFE

Target Node

Target Node

Target Node

SAFE

Examiner

Company Headquarters

Examiner

Target Node

Target Node

Target Node

SAFE

Target Node

Encase enterprise sweep

• collect live snapshot data from all machines in enterprise – on each machine forensic agent (servlet) installed

• data goes into sqlite db file on examiner machine

• gui and interface in EnCase is harsh and unhelpful for data extraction / analyses

• access to data from Encase – use data browser or write Enscript program

Simple Network Incident Scenario

step tasks Snapshot 1 Forensics snapshot: of suspected machines involved in incident

Analyeses internal 2 Snapshot: analyses in forensic tool, export data to other related tools for fine analyses,

External analyses 3 Analyses: based on data properties (not intrinsically forensic values) with external tools, data

is available to non-forensic tools (export, database connection etc).

action or redoing snapshot 4 Analyses: results from step 3 goes back into forensic tool as a list of suspicious processes,

further forensics analyses is carried out (hash analyses, entropy etc)

•for any data consolidation it helps if there is additional view into data available •this view is problem dependent and very often fuzzy, requires data export into something else (excell very often) or sql database

Example

•set of sweeps and related sqlite db file •Sweep.sqlite all sweep data in one file

Explanation of data

• for each sweep (set of machines snapshots) – some data are undocumented

– set of machines snapshots contains in various tables • machine data

• users, groups

• network data (ip, route, arp, mac ..)

• dll and its attributes – instances of dll, ownership, size, hash, loads

• processes and it attributes – instances of process, ownership, size, hash ..

– no disk info (another method of access)

Data in sweep.sqlite- set of snapshots

Snapshot data

• info about snapshots

Ip data

• information about IP related data in snapshot

• data in native format (hex etc)

Process data

• all data about process as one big view

• easy to spot irregularities

Example svchost.exe

– often infected trough dll injection

Example process svchost.exe on all machines in sweep db

EnCase v7 sweep view

• trough EnCase program

• trough case analyzer – browser / reporter

• very rough interface

• no global view

EnCase view of sweep data

EnCase snapshot & disk view

Encase data browser – Case analyzer Enscript

Case analyzer report view

Encase – in program view on data

INsig2 – Integrirana sigurnost

Example of integration Other enterprise sec. tools

­ Automated Incident Response Suite automates the task of manually filtering through alert data via the IDS/SIM/CMS interface

• selects alerts of interest

• performs an investigation trough snapshot

• same idea for data analyses as for plain Encase Enterprise

• additional sources: log collector, SIEM, other forensic tools

Conclusion

• useful but need a lot of expertise in all used tools to get data out and compare really important data

• lack of standardization

• xml useful

• for a real time incidents to much work on tool instead on task

• mobile devices puts a whole new dimension in this problem

Related tools & ideas

• Nuix http://www.nuix.com/

• other data mining / data analyses tool

• In last year a lot of vendor specific tools as part of packages are coming to market mostly for timeline analyses and connection analyses, but again lack flexibility

Questions ?

• damir.delija@inisg2.eu