Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Internet Investigations
Who does internet investigations
● Recon for social engineering (CTFs)
● Intelligence
● Internal investigations
● Criminal investigations
Recon for social engineering
● CTFs - Who is Eric Liang?
● Social Engineering○ Feign familiarity
○ Spear Phishing
● Recruit Sources (Double Agent)
○ Insider Threat
○ Insider may not know
CyberSeed
Intelligence
● HUMINT
● SIGINT
● IMINT
● GEOINT
● MASINT
● TECHINT
● CYBINT
● FININT
● OSINT
● All Source
● Aggregating
unclassified to get
classified
Internal Investigations
● Unauthorized use of resources
● Exfiltration of secrets
● Insider threats / Counter Intelligence
● E-Discovery
● FOIA
Criminal Investigations
● Black Markets○ Traditional Goods - Drugs, Weapons, Tools
○ Child exploitation
○ Human trafficking
○ Malware
○ Pwned Data
● Doxing and personal security
● Branding & Online Presence for ‘IRL’ crime
People incriminate themselves
Post evidence of illegal activity in plain site
#HCMT
But why???
● Branding
● Black Market Biz is still Biz
● Hashtags have replaced gang signs
Pepsi in a Coke glass #THUGLIFE
Types of Forensics
● Seized Computer
● Live
● Mobile
● Embedded
● Cloud
How does cyber tie in to forensics?
Online user ←------
| ^ | |
|_| | |
other --> Computer user
accounts
|
--> User
What are we looking for in an
image?
● Account info○ Passwords if you can
○ Wordlist for PW guessing
● Artifacts of user online activity
● Contraband○ May be classified info they are supposed to have
access to, but not on this device
What are we looking for online?
● Identifying Information
● IP address registration
● Social Networks (Who people talk to)
● Patterns of life
When you stare into the abyss,
It stares back into you….
● Online investigation machine is a separate
(virtual) machine from forensic workstation
● Sanitize meta-data
● Burner phones
● Disguise IP address
Virtual Machines / Appliances
Pen Test - Kali
Forensics - Sift
Reverse Engineer - Remnux
OSINT - Buscador
https://inteltechniques.com/buscador/
Online tools also exist but you would not use
those in a real investigation - fine for CTFs.
VM best practices
● Take snapshots
● Forensic VM is only online for updates &
installing tools
● Use removable media for collecting evidence○ Forensic wipe before and after use○ https://linux.die.net/man/1/nwipe
● Revert snapshot after investigation
IP and metadata
● IP lookup - dig, nslookup, naming authority
● TOR (onion router) and VPNs○ Tunnel bear https://www.tunnelbear.com/
○ Browser plugins
● Tracking Cookies○ Privacy badger, ublock
○ User Agent Switcher
● Document and email metadata
Documentation● Screencap
○ SnagIt, built in tools for Linux/Windows 10
○ Browser plugins - Awesomeshot, Fireshot
○ May have to save offline version of web page
■ wget -m -k or save as complete page
○ Noscript plugin to disable extra BS
○ Screenshot your tools, highlight important stuff
(break down Barney style / Snookify)
● Video Capture○ VLC, Camtasia
○ Downloader plugins
Assume that Snooki is a member of
the jury
Write your report
and notes
accordingly
(BTW Snooki is in
Google’s spell
check - no red
squiggles) :(
Search People
● Search Engines https://www.lifewire.com/search-engines-that-top-the-web-3482269
○ Piple
● Usernames across sites○ https://namechk.com/
○ http://checkusernames.com/
● Public records○ http://publicrecords.onlinesearches.com/FL_Leon.htm
● Twitter & Social Network maps
Search Images
● Google reverse search
● Tineye
● Fotoforensics
Search locations
● Public records○ County GIS
○ Voting records -https://registration.elections.myflorida.com/CheckVoterStatus
● Real Estate Sites
● Geotagged posts○ Document in Google MyMaps -> export kmz for
Google Earth Pro
Do you even google bro?
● Urban dictionary
● Drug Bible
● English. Do you speak it?
● Advanced Google searches
● Use other search engines (they do exist)○ Duckduckgo
REGEX
● http://www.regular-
expressions.info/reference.html
● Passwords and keys
● Contact info
● Specific kinds of evidence like PII or financial
info / credit cards
● GREP
● Python
Databases
● Many programs such as Chrome, Firefox,
and Skype use SQLite
● Forensic tools like sleuthkit catalog evidence
in a database.
● Windows Registry○ B-Tree “Hives”
● Thumbnails
Where do I start?● Breadth 1st search vs Depth 1st
● Recent activity○ RAM
○ Registry entries
○ Recent files - MRU, prefetch, jumplists
○ Recent websites - URLs, fav, icons, cookies, cache(index.dat)
○ USB drives - make, model, partition serial #
○ Printer
○ Notes and post-its
● Context of the investigation
● Anti Forensics
Walk through the registry● Document users and system time
● Recent activity
● Installed programs○ Encryption
○ Cleaners
● Devices
● Crack the SAM to get saved forms data○ https://www.techsupportalert.com/content/deeper-windows-
registry.htm
○ http://www.nirsoft.net/
○ http://juggernaut.wikidot.com/web
○ https://github.com/magnumripper/JohnTheRipper/blob/bleeding-
jumbo/doc/INSTALL-UBUNTU
RAM demo
LiMe - https://github.com/504ensicsLabs/LiMEinsmod ./lime-4.4.0-97-generic.ko path=/tmp/limedump format=lime
cd /tmp/
strings limedump | grep -i "Internet Investigations" | less
SQLite Demo
Windows GUI: sqlitebrowser.org
Linux: sudo apt install sqlite3
sqlite3 filename
.tables
.schema table
Select * from table;
Web demo
● Dark Web - will pwn for bitcoin○ https://hansamkt2rr6nfg3.onion
○ http://2ogmrlfzdthnwkez.onion/
● Pastebin
● Have I been pwned?
● Virus Total
● OSINT website