usage aspects techniques for enterprise forensics data analytics tools
DESCRIPTION
Enacse v7 Entreprise sweep data access trough InfozoomTRANSCRIPT
Usage Aspects Techniques For Enterprise Forensics Data Analytics
Tools
Damir Delija [email protected]
"Nove sigurnosne ugroze i kritična
nacionalna infrastruktura“ Zagreb, 12-13.09.2013
Idea
• How to analyze data in internal database and data repositories of forensic tool trough external data analytics tools
• Or generalization – access to hidden data in the forensic tools, especially enterprise class forensic tools
– (this is not a new problem, something very similar happened in network management ages ago )
To explore situation
• To try what can be collected from commercial forensic tools
– Encase v7, ftk as forensic tools
– Infozoom as data presentation and analyses tool
• also some open source add-ons
Evolution Of Enterprise Forensics Capabilities
disk images Forensic image of remote physical or logical disks, acquired and preserved on forensics workstation
memory images Forensic image of whole RAM of remote node and memory images of processes, acquired and preserved on
forensics workstation
snapshot data Presenting current structure of users, processes, dll, open files, network information (ARP table, DNS table,
routing table)
• Each step brings huge amount of data and metadata into forensic tool • this data is not worthless even if it is not directly related to first line of examination
Forensic tools example: EnCase v7
• Encase v7
– store data in cahces files and evidence file
• cache processed data – usually sqlite
• evidence original data
– Other forensic tools store data in db or various files (ftk, xways, ufed ...)
– data is there, what you can see is what forensic tool allows you
• or a huge effort to do a workaround to access data
Forensics Components Encase Enterprise approach
WAN
Main Office B
Branch Office
Target Node Target Node Target Node
Main Office A
Target Node
Target Node
Target Node
SAFE
Target Node
Target Node
Target Node
SAFE
Examiner
Company Headquarters
Examiner
Target Node
Target Node
Target Node
SAFE
Target Node
Encase enterprise sweep
• collect live snapshot data from all machines in enterprise – on each machine forensic agent (servlet) installed
• data goes into sqlite db file on examiner machine
• gui and interface in EnCase is harsh and unhelpful for data extraction / analyses
• access to data from Encase – use data browser or write Enscript program
Simple Network Incident Scenario
step tasks Snapshot 1 Forensics snapshot: of suspected machines involved in incident
Analyeses internal 2 Snapshot: analyses in forensic tool, export data to other related tools for fine analyses,
External analyses 3 Analyses: based on data properties (not intrinsically forensic values) with external tools, data
is available to non-forensic tools (export, database connection etc).
action or redoing snapshot 4 Analyses: results from step 3 goes back into forensic tool as a list of suspicious processes,
further forensics analyses is carried out (hash analyses, entropy etc)
•for any data consolidation it helps if there is additional view into data available •this view is problem dependent and very often fuzzy, requires data export into something else (excell very often) or sql database
Example
•set of sweeps and related sqlite db file •Sweep.sqlite all sweep data in one file
Explanation of data
• for each sweep (set of machines snapshots) – some data are undocumented
– set of machines snapshots contains in various tables • machine data
• users, groups
• network data (ip, route, arp, mac ..)
• dll and its attributes – instances of dll, ownership, size, hash, loads
• processes and it attributes – instances of process, ownership, size, hash ..
– no disk info (another method of access)
Data in sweep.sqlite- set of snapshots
Snapshot data
• info about snapshots
Ip data
• information about IP related data in snapshot
• data in native format (hex etc)
Process data
• all data about process as one big view
• easy to spot irregularities
Example svchost.exe
– often infected trough dll injection
Example process svchost.exe on all machines in sweep db
EnCase v7 sweep view
• trough EnCase program
• trough case analyzer – browser / reporter
• very rough interface
• no global view
EnCase view of sweep data
EnCase snapshot & disk view
Encase data browser – Case analyzer Enscript
Case analyzer report view
Encase – in program view on data
INsig2 – Integrirana sigurnost
Example of integration Other enterprise sec. tools
Automated Incident Response Suite automates the task of manually filtering through alert data via the IDS/SIM/CMS interface
• selects alerts of interest
• performs an investigation trough snapshot
• same idea for data analyses as for plain Encase Enterprise
• additional sources: log collector, SIEM, other forensic tools
Conclusion
• useful but need a lot of expertise in all used tools to get data out and compare really important data
• lack of standardization
• xml useful
• for a real time incidents to much work on tool instead on task
• mobile devices puts a whole new dimension in this problem
Related tools & ideas
• Nuix http://www.nuix.com/
• other data mining / data analyses tool
• In last year a lot of vendor specific tools as part of packages are coming to market mostly for timeline analyses and connection analyses, but again lack flexibility
Questions ?