Professional Documents
Culture Documents
> Damage assessment: What was taken, when was it stolen, where did it go, how was
it taken, and who did it?
> This is probably the most common family of questions and DFIR professional is
asked to address.
> Victims tend to be most interested (or are required to track down) details
surrounding what data was stolen. Although attribution is not typically the most
important question, knowing who your likely attacker(s) may be will help to
understand intent and capabilities, and hence what data they would be most
interested in acquiring.
> Although we're interested in learning about the compromise or theft events
themselves, it is often helpful to learn more about the events that occurred
immediately before or after an event as well. This can give the analyst helpful
context about why other observations may or may not be important, as well as if
there are any other systems in the environment that may be compromised.
> One of the most common questions we're faced with is how a malware event came to
be:
> Did the malware land via a web-based drive-by download from a compromised
advertising network?
> Was the user enticed to open an attachment or click on a link in a phishing or
spear phishing campaign?
> The network perspective can often give clear answers about how the event was
initiated, which can again characterize an attacker's intent and capabilities.
- tcpdump/windump generated
- Uses de facto standard libpcap file format
- Typical file extensions: pcap dump cap
- not mandatory - use file magic
- Contain the data from the interface to which the sniffer/protocol analyzer was
connected
The term PCAP come from Packet CAPture and relates to the file format that the
libpcap tool generates as it saves captured network data. libpcap a Unix/Linux tool
has been ported to Microsoft Windows operating systems in the form of the winpcap
library
The sniffer will generate a file containing the data taken from whichever
interface is was connected to, it is important to understand the type of interface
and thus the data the pcap contains.
# Evidence Types: NetFlow (**F**)
A flow is considered to be a communication between the same hosts using the same
source and destination ports and the same protocol. Some protocols have additional
identifiers. In the case of TCP, the initial sequence number is also used to
identify a distinct flow. The flow record includes the number of packets
transmitted and the total volume data transmitted in the payloads of packets,
# External Sources
> Pros
> - Collect evidence before you need it: Continuous Monitoring, aka SANS SEC511
> - Easy to activate without downtime, ensures strategic focus on IR/forensics
> Cons
> - High cost for "maybe" requirements, can be limiting if problems don't occur
where capture devices are, possible proprietary storage formats
- Links to be monitored
- Processor
- Network interface and throughput
- Storage and desired retention period
- Out-of-band management
- Operating system hardening
- Trusted, synchronized system clock
- Approved plans on when and how to use them
- Properly trained human operators
# What to Capture