Welcome to

the CISSP
Bootcamp
Your instructor:
Michael J Shannon
CISSP #42221 / #524169,
CCNP-Security, PCNSE7,
AWS Certified Security – Specialty, Class will begin at 10:00
OpenFAIR, and A.M. Central Standard
ITIL 4 Managing Professional Time (CST)

You can view recorded sessions and download the

course documents at: http://tiny.cc/CISSP2018LIVE
Identity and Access Management (IAM)
• Identity and access management (IAM) is the
process of enabling the proper entities access the
authorized resources at the precisely the right
times and reasons
• The trend is to give users as little direct access to
services, apps, and the original data as possible
• There is a mission-critical need to ensure
appropriate access to resources across increasingly
heterogeneous technology environments
• IAM is a vital undertaking for any enterprise and it
should be business-aligned
• IAM requires business skills and not just technical
expertise
IAM at AWS
IAM at AWS
IAM using Cisco Identity Service Engine (ISE)
Identity Service
Engine (ISE)
Intelligent, integrated protection through
intent-based policy and compliance
• Full contextual identity and profiles of all
users, devices, and applications on your
networks
• Asset visibility
• Secure wired and wireless access
• Device segmentation, administration, and
compliance
• Threat containment
• BYOD mobile device management
Privileged Accounts
• Get elevated access to systems with
special credentials
• Typically give nonrestricted, or at least
elevated, access to the system, service,
or applications
• Designed for systems administrators to
deploy and manage IT infrastructure
devices, operating systems, databases,
applications, and more
• They are the "keys to the kingdom" and
the prime target of malicious external
attackers and insiders
Privileged Accounts
• Most common privileged accounts:
• Root user accounts
• Local administrative accounts
• Privileged user accounts (exec user)
• Forest and domain administrative
accounts
• Emergency accounts
• Application accounts
Service
Accounts • Service accounts can be privileged local or domain
accounts used by an application or service to function with
the network operating system
• Some service accounts have domain administrative
privileges contingent on the application needs, such as
corporate mail or database services
• Local service accounts can operate with several different
system components, which renders coordination of
password changes challenging
• Service account passwords are rarely changed, which can
become a significant vulnerability for an enterprise
Single Sign-on (SSO) Federation Services
“One ring to rule them all”
• A method of access control of multiple
associated, yet independent, systems
• Users log in with a single ID and password
(and/or other factors) to gain access to any of
several related systems and services with
these benefits:
• Mitigate risk for access to 3rd-party sites
• Reduce password fatigue from different
credential combinations
• Avoid having to re-enter passwords for the
same identity
• Reduce IT costs due to lower number of IT
help desk calls
 • SAML is an XML-based open-source SSO standard
• It is used by many cloud SSO connections for thousands
of large enterprises, government agencies, and service
SAML 2.0 providers that communicate via the Internet
• The key advantage of SAML is open-source
interoperability
• Some large companies now require SAML 2.0 for Internet
SSO with SaaS applications and other external ISPs
 • There are several components in the
SAML scenario:
• The identity provider (IdP) declares the
identity of the user
• The service provider takes the
SAML 2.0 assertion and passes the identity
data to an application or Service
Provider
• Entity usually gets access with a
temporary security token
 Open Authorization (OAuth)

• OAuth 2.0 is an open authorization framework that allows

a third-party application to get limited access to an HTTP
service
• It’s designed specifically to work with HTTP and essentially
OAuth allows access tokens to be issued to third-party clients by
an authorization server, with the approval of the resource
owner
• Consumer developers use OAuth to publish and interact
with protected data in a safe and secure manner
• Service provider developers can use OAuth to store
protected data and give users access to their data while
protecting account credentials
 OpenID Connect

• OpenID Connect 1.0 is a basic identity layer on top of the

OAuth 2.0 protocol
• It verifies the end-user identity using authorization server
• It can get basic profile information about the user with an
OIDC interoperable REST-like methodology
• Supports web-based, mobile, and JavaScript clients
• OpenID is extensible as functionality can be added
 Shibboleth

• Provides federated identity

• Connects users to both interorganizational and
intraorganizational applications and services
• Is free, open source, and popular with universities and public
Shibboleth service organizations
• Empowers sites to make well-informed authorization choices
for discrete access to protected online resources while
maintaining user privacy
Kerberos
• Kerberos is a single sign-on (SSO) authentication protocol
that uses a secret-key cryptosystem for network-wide
authentication
• It performs mutual authentication, where a client proves its
identity to a server and a server proves its identity to the
client Kerberos
• After they have proven their identities, they can also encrypt
all communications going forward
• To guarantee privacy and data integrity Kerberos depends on
a trusted third party called the Key Distribution Center (KDC),
which is cognizant of all systems and is trusted by all in the
realm
Kerberos
Authentication
Tokens (MFA)
Synchronous Tokens
• Synchronous token methods are
synchronized with an external source,
usually a clock or a counter
• Clock-based uses an internal clock
combined with a base secret key to
generate a time-based password
• Counter-based involves an administrator
first inserting a specific base secret and
internal counter into user’s token and
copying it to the server device
Authentication
Tokens (MFA)
Asynchronous Tokens
• Here, the token generates a password
based on a challenge or nonce (a pseudo-
random number) from the server
• The number and password are then
combined with a base secret key within
the token
• The user responds to the server’s
challenge, the nonce, using the result of
this combination as its reply
Authentication Fobs and Cards
Tokens
• Static token
• Same information used each time
• Synchronous tokens
• Information changes each time
• Clock-based
• Counter-based
• Asynchronous tokens
• Information changes each time
• Not clock based
• PKI token
• Stores X509.v3 certificate and keys
Authentication Fobs and Cards
Tokens
• Disconnected token
• Built-in screen that displays authentication
data

• Connected token
• Must be connected/inserted into computer
• Automatically transmits authentication data
once connected

• Contactless token
• Needs to be near the computer
• Bluetooth/NFC
• Mobile device tokens
• TOTP Software installed on phone
Authentication Smart
Cards
• Contains authentication information
credentials in an encrypted form
• Smart cards
• Contact or contactless
• Contains a microprocessor chip
• Memory cards
• Like a smart card but no microprocessor
• Key cards
• Contact-based
• Contains magnetic strip that holds
information
 Fingerprint Identification
Biometric
• Fingerprints remain constant throughout life
MFA • In over 140 years of fingerprint comparison worldwide, no two
fingerprints have ever been found to be alike, not even those of
identical twins
• Fingerprint identification involves comparing the pattern of
ridges and furrows on the fingertips, as well as the minutiae
points of a specimen print with a database of prints on file
• Good fingerprint scanners have been installed in pads. Phones,
and PDAs so the scanner technology is also easy
• This solution might not be suitable in industrial applications
since it requires clean hands
 Facial Recognition
Biometric
• Face recognition is one of the most flexible as it functions even
MFA when the subject is unaware of being scanned
• The fastest growing and prevalent form of identification
• It offers the ability to search through masses of people who
spend only seconds in front of a facial scanner (a digital camera)
• Face recognition systems work by methodically analyzing explicit
features that are common to every person’s face:
• The distance between the eyes
• Width of the nose
• Position of cheekbones, jaw line, chin and so forth
• These numerical quantities are then combined into a single code
that uniquely identifies each person
 Hand Geometry
Biometric
• Hand geometry readers work in harsh environments
MFA • They do not require clean conditions and forms a very
small dataset
• It is not regarded as an intrusive kind of test
• It is often the authentication method of choice in industrial
environments
 Ocular Recognition
Biometric
• Retina scan
MFA • There is no known way to replicate a retina as the pattern of the
blood vessels at the back of the eye is unique and stays the same
for a lifetime
• It requires about 15 seconds of careful concentration to take a
good scan
• Retina scan remains a standard in military and government
installations

• Iris scan
• An iris scan also offers unique biometric data that is difficult to
duplicate and stays the same for a lifetime
• The iris scan is considered more invasive that the retina scan
• Both are similarly difficult to make (especially for children or the
infirm)
 Physical Signatures
Biometric
• A signature is another example of biometric data that is
MFA easy to gather
• Collecting signature data is not physically intrusive
• Digitized signatures are sometimes used, but usually have
insufficient resolution to ensure authentication
• Physical signatures are rapidly being replaced by digital
signatures with internet transactions and contracts
 Voice Analysis
Biometric
• Like facial recognition, voice biometrics offers a way to
MFA authenticate identity without the subject's knowledge
• However, it is easier to fake using a tape or digital
recording combined with audio editing software
• It is very difficult to fool a trained analyst or AI system by
imitating another person's voice
Biometric
Performance
Different metrics can be used to
rate the performance of a
biometric factor
False Acceptance Rate (FAR) - the probability (usually
a percentage) that the system incorrectly authorizes a
non-authorized person, due to incorrectly matching
the biometric input with a template.
False Rejection Rate (FRR) - the probability that the
system incorrectly rejects access to an authorized
person, due to failing to match the biometric input
with a template.
Crossover Error Rate (CER) - the graph that displays
the rate where both accept and reject error rates are
equal
 Exploits and Malware

• Advanced Persistent Threats (APT)

• Ransomware campaigns
• Cryptojacking
• Data & identity theft
• Remote Access Trojans
• DDoS attacks
• Blackstortion
• Web site defacing
• Illegal content distribution
Assessing
Vulnerability
Begins with the definition

• It should be quantified as a percentage

of probability and not just a vague list of
"scary things"
• The likelihood that a threat agent's
actions will result in a loss (frequency
and magnitude)
• It can be a derived value from threat
capability of actors combined with the
resistance of existing security controls
Assessing
Vulnerability
Asset assessment and labeling

• All client and server operating systems

and versions/builds
• Posture of patches, updates, and security
fixes
• Browsers and types of endpoints
• Methods of access - wired, wireless,
VPN, and remote teleworkers
• Control types and categories
• Access control methodologies (2FA)
Vulnerability Information Gathering
• Various logs (system, application, firewall, etc.)
• Simple Network Management Protocol (SNMP) traps
• NetFlow collection
• Security information and event management (SIEM)
systems
Information
• Next-Generation Intrusion Prevention System (NGIPS) Gathering
alerts and logs
• Cloud-based visibility tools
• Machine Learning and Artificial Intelligence data analysis
Vulnerability
Scanners
HTTP/S is the most common traffic by far

• Web application vulnerability scanners are

most common due to heavy usage of HTTP
(e.g. Burp Suite and OWASP ZAP)
• Automated tools can scan web applications
and look for these security vulnerabilities:
• Cross-site scripting
• Cross-site request forgery
• SQL and command injection
• Path traversal
• Insecure server configuration
Vulnerability Scanners
 Passive Testing Security Controls
• Less intrusive process to daily operations and employee productivity
• Involves using scanning and snooping tools to gather information for analysis
• Uses intrusion detection (copies of frames) as opposed to inline intrusion prevention (IPS)
• Run security devices in monitor-only mode
• Firewalls and other appliances have CLI-based and GUI packet tracer capabilities
• Vulnerability scanning is an easier and often more focused process looking for unpatched
systems and open ports
• Often automated and done on a routine basis (weekly, quarterly), taking a few hours
• Pentesting is a thorough investigation of all known vulnerabilities and an actual ethical
attempt to exploit those vulnerabilities
• Is a more manual activity, often taking days
Threat Modeling
• Involves creating an abstraction of a system
to identify risk and probable threats
(private cloud/sandboxing)
• When cyberthreat modeling is applied to
systems being developed, it can lower
vulnerabilities and risk
• With the widespread adoption of threat
intelligence technologies, most enterprises
are trying to adopt a threat-focused
approach to risk management
• Provides visibility, increased security
awareness and prioritization, and
understanding of posture
Exploitation
Frameworks (EKs)
• Exploitation kits used by penetration testers
and crackers to find vulnerabilities and
attack vectors
• Often specialize in certain components, like
routers, browsers, embedded devices,
PowerShell, etc.
• Often open-source initiatives with broad
cooperation from white, gray, and black hat
hackers
• Can be used to prioritize vulnerabilities
and threats in the enterprise
 Protocol Analyzers
• Devices that capture and analyze network traffic between two or more systems
• Traffic can be filtered and decoded to visualize what processes are occurring
• Protocol analyzers can be used to find network bottlenecks, troubleshoot, and analyze
malware behavior
• Advanced analyzers can also generate statistics for trend analysis and network
optimization
• Crackers can use them to gather information or even clear-text usernames and passwords
among other things
Protocol Analyzers
Network Scanners
• Devices that capture and analyze network
traffic between two or more systems
• Traffic can be filtered and decoded to
visualize what processes are occurring
• Protocol analyzers can be used to find
network bottlenecks, troubleshoot, and
analyze malware behavior
• Advanced analyzers can also generate
statistics for trend analysis and network
optimization
• Crackers can use them to gather information
or even clear-text usernames and passwords
among other things
Compliance Scanners
• Carrying out a compliance audit is different
from performing a vulnerability scan
• There will often be some overlap
• A compliance audit decides if a system is
configured in agreement with a recognized
governance policy
• A vulnerability scan determines if the
system is exposed to known vulnerabilities
• Sometimes compliance involves auditing
more sensitive data and systems
Compliance Scanners
• There are many diverse forms of financial
and government compliance requirements
• Typically the compliance requirements are
minimal baselines that can be taken
differently depending on the goals of the
organization
• Compliance requirements must be
in line with the business goals to
ensure that risks are correctly
recognized and alleviated
Identifying Lack of
Controls
• This is closely tied to the results of
penetration testing and vulnerability
scanning
• Both processes preserve compliance with
HIPAA, PCI, SOX, ISO, NIST, etc.
• The identification should involve thorough
reporting and risk analysis
• Qualitative and/or quantitative (preferred)
 Identifying Common Misconfigurations

• One of the most common vulnerabilities

• Difficult to find without a thorough examination of all applications and code
• Example: Web applications are built on several layers (FE/BE, middleware/business intelligence,
database, browsers, and other web-enabled clients), making a configuration error somewhere
very possible
• Could be as simple as a system administrator forgetting to delete a default account or ex-
employee account with admin/root privileges
• Implementing automation, orchestration, and infrastructure-as-code is a common solution to
misconfiguration
• A mature change and configuration management program is essential
 Identifying Common Misconfigurations

• (L2) Begin with switch configuration best practices – wireless access points and controllers
• (L3) Ensure proper routing peer authentication and complete advantage of all firewall and
sensor capabilities
• Evaluate server configuration (web, e-mail, ftp, SP, and content)
• Ensure endpoint configuration focuses on least privilege access controls – privileged vs.
nonprivileged users
• Remove/disable any and all unnecessary features
• Examine all custom code
 Gap Analysis
• A gap is the difference between
the implemented existing controls
and the predetermined control
objectives
• Gap analysis is the outcome of
corporate security strategy and
governance
• Current countermeasures should
be established according to the
organization's risk appetite
 Gap Analysis
• Foundation for the fundamental
information security initiative
action plans and programs
• Conducted in a reusable and
repeatable method to assess and
report on efficacy of executed
controls
• Focus will be on established
metrics such as key performance
indicators (KPIs) and key goal
indicators (KGIs)
 Expert Judgment
• Internal subject matter experts
• Risk register and lessons learned
(LL) database
• Historical documentation
• Compliance experts
• External expert judgment
• Third-party consultants
• Cyber insurance providers
• Legal expertise
 • Internal vs. external
• In-house vs. third party

Conducting • Vulnerability assessment

• Penetration testing
Security • Log reviews
Audits • Synthetic transactions
• Code review and testing
• Misuse case testing
• Test coverage analysis
 • Interface testing
• Account management

Conducting • Management review and

approval
Security • Key performance and risk
indicators
Audits
• Backup verification data
• Training and awareness
• Disaster recovery (DR) and
business continuity (BC)
 • Red team - imitates the actions and methods of likely black hat
hackers
• Blue team - tries to discover and keep out the red team, and
performs incident response or active defense if necessary
Cybersecurity • Purple team – assumes both roles and oversee and optimize
Exercises
Prototyping Solutions
Sandboxing or threat modeling
• Create prototype labs with private
cloud solutions
• Rent time for public clouds to generate
pilot tests for security solutions
• Use public or hybrid clouds for
application and system development
• Akamai, Azure, Oracle, IBM,
Google Cloud Platform (GCP), and
Amazon Web Services (AWS)
Supply Chain Risk
Management (SCRM)
A U.S. Policy Priority
• Governments continuously work with
the trade community to manage and
mitigate supply chain security risk
• US Customs and Border Protection (CBP)
and Customs-Trade Partnership Against
Terrorism (C-TPAT) programs
• Initiatives involve third-party assessment
and monitoring and setting minimum
security requirements and service-level
requirements
Supply Chain Risk
Management (SCRM)
Delivering measurable data
• Delivering meaningful metrics and and
analysis related to specific supply chain
exposures
• Cargo disruption trends
• Transit modality exposure
• Threats posed by anti-Western terrorist
groups and other criminal elements
• Country risk variables, such as the rule
of law and the effectiveness of local law
enforcement
 • Reports should have as much information as necessary
Generating but not a "data overload"
Reports • May need to express in simpler terms or have different
reports for different target audiences
• Dashboards are very effective (R programming)
• Understand components of visual communications
• Avoid three-dimensional representation
• Use a palette of sequential colors
• Avoid pie charts for scatterplots, bars and bubble charts,
histograms, density plots, and boxplots
Generating Reports
Use Tools that Deliver Results
• CSP tools – CloudWatch, CloudTrail,
Stackdriver, Insights
• R programming and Python modules
• Automated system reports
• PDF files
• Charts and graphs
• Dashboards for visibility
• Written summaries
• After-action reports including "lessons
learned" sections
Business Continuity Planning (BCP)
• BCP involves the preparation of all activities and procedures deployed to avert the loss
of critical business functions and services for a pre-determined unacceptable amount
of time

BCP

Business impact Disaster recovery

Backup policies
analysis (BIA) plan (DRP)
BCP and Incident Response
• Incident Response and forensics is sometimes added to this model as an offshoot of
BCP
BCP from Ready.gov
Key BCP Terminology
• Recovery time objective (RTO)
• The target amount of time within which a critical process must be restored after a disruption
• Recovery point objective (RPO)
• A result of BCP representing the maximum targeted period in which data may be lost from
an IT service due to a major event

• Mean time to repair (MTTR)

• The average time needed to repair a failed system or module
• Mean time between failures (MTBF)
• The amount of failures per million hours for a product
Disaster Recovery
Ensuring that you can help the company
recover from any kind of disaster
• The disaster recovery plan should contain
detailed steps for recovering from any kind
of data loss or physical disaster
• The DRP includes backup and restore
plans, contact information for product
vendors, and step-by-step instructions on
how to recover each part of your
information systems
• A catastrophic event can be a single drive
ransomware attack to an entire facility or
campus being put out of action
Disaster Recovery
Plans
• The disaster recovery plan is a major
component of your BCP that outlines
the technical aspects involving:
• Sites
• Backups and snapshots
• Contact information and chain of
command
• Order of restoration
• Step-by-step instructions
• Locations of documents and software
and keys
Disaster Recovery Process
Recovery Sites
Based on budget and size
• Cold site
• An empty location with no equipment
• Everything needs to be brought in and set
up

• Warm site
• A location that is set up with needed
equipment
• No configuration or resources
• Configurations need to be done and
restored

• Hot site
• Duplicate of the main site that is ready
immediately
Recovery Sites
Based on budget and size
• Exclusive site
• Only for you
• You pay the full fee to have it reserved for you
• If you need it, you have access to it
• Time-shared
• For multiple companies
• Companies share the fee to have it reserved
for them
• If one company needs it, they have access
to it
• What if both need it at the same time?
Business Continuity
Exercises
• Plan Review (Read-through)
• Tabletop
• Walkthrough (Exercise)
• Simulation
• Parallel
• Full Interruption
Backups and Restores

• Full
• Incremental
• Differential
• Snapshots
Full Backups
The main ransomware countermeasure
• Backs up everything regardless of
archive bit being set or not
• Clears the archive bit once the backup
completes
• It takes the longest to back up
• Depends on how much has to be backed
up

• It is the quickest to restore

• Only the most recent full backup is
required
Incremental Backups
• Backs up any new file or any file that has
changed since
• The last full backup
• The last incremental backup
• Clears the archive bit once backup
completes
• Subsequent backups only store changes
that were made since the previous
backup
• The process of restoring lost data from
backup is longer but the backup process
is much quicker
Differential Backups
• Backs up any file that has the archive bit
set
• Any new file or any file that has changed
since the last full backup
• Does NOT clear the archive bit once
backup completes
• Slow to back up
• Quick to restore
• The last full backup and the most recent
differential backup are needed for
restoration
Snapshots
• Easier and faster backups and restores
• Immediate point-in-time virtual copy of
source
• Should be replicated to another media
or cloud storage to be considered a
backup
• Time to back up does not increase with
amount of data
• Improved RTO and RPO
• Restores are faster
• Less data is lost with an outage
 Lessons Learned
A section of After-Action Report
• Knowledge gained from the process of
conducting the program, project, or task
included in After-Action Report (AAR)
• Formal sessions usually held at the
project close-out, near the completion of
the initiative
• Recognized and documented at any point
during the life cycle to:
• To share and use knowledge derived from an
experience
• Endorse the recurrence of positive outcomes
• Prevent the recurrence of negative outcomes
 CSIRT (Computer Security Incident
Response Team)
• Receives alerts and alarms of security breaches
Incident • Determines severity and implements plans and procedures
Response • Conducts analysis of activities and documents action plan
• Performs forensics and investigative techniques
Team
• CSIRT (Computer Security Incident Response Team)
(IRT) • May be a pre-designed group or an ad hoc association
• Internal IRTs gather periodically for proactive tasks such as DR
testing, and vulnerability and penetration testing and assessment
• Members come from various business units and skillsets
 CSIRT (Computer Security Incident
Response Team)
• Incident management and response should be balanced
Map the BCP with security baselines

and DRP to • Incident response plans (IRPs) may include some business
continuity and disaster recovery initiatives
the Incident
• It involves the same level of executive management
Response support and signoff
Plan • There's a need to understand at what point the incident
triggers the BCP and/or DRP
 • Groups of cyber investigators aggressively seek out threats
on a network or system – often as compliance auditors
• They attempt to quickly recognize anomalies and discover
historic patterns in data and Indicators of Compromise
(IoCs) to counter cybercriminals and mitigate threats
Hunt Teams • Team members often dig through data to fix security
problems, replicate bugs, and repair vulnerabilities in code
• Big data security analytics often generates metrics for
collecting, organizing, storing, analyzing, and visualizing
results
 • Perform root-cause analysis
• Examine and determine the core reasons for any incident
or failure
• Phases: collect, record, analyze, and then recommend
Post-incident • An after-action report is any type of retroactive analysis of
a series of goal-oriented activities plans generally by the
Response originators of the exercises
• Analytical AARs have three key goals:
• Identifying problematic issues and areas for improvement
• Recommending measures to counteract challenges
• Finding "lessons learned"
Forensic
Investigation
Why perform forensics?

• Laws have been violated

• Organizational policies have been
violated
• Systems have been attacked
• Data and identity breached
• Intellectual property has been
exfiltrated
Cyber Forensics
• Always consider legal actions
• Seek council as your findings may be needed in court
• Legal holds may be placed on resources – (also litigation hold) is a notification sent from an
organization's legal team to employees commanding them not to delete electronically stored
information (ESI), or discard documents, that may be pertinent to a new or pending legal case

• Determine event from cyber incident

• Establish first responders and procedures
• Disconnect from network but do not power down
• Use forensic tools to make hashed images of
• Memory, system files and registry/config files, internal and external volumes, e-mail and
messaging data, and various log files
E-discovery
• Innovative technology has emerged over the last 10 years to lower the risks and costs
associated with big data, especially in litigation and internal corporate/government
investigations
• The e-discovery process includes four phases
1. Identifying and collecting documents
2. Sorting through data by relevance
3. Creating production sets
4. Data management
Forensic Investigation
Procedures
Everything must be documented!

• Investigations need to be carried out in

a standardized manner
• Identification of the crime
• Collection of evidence
• Examination of the evidence
• Analysis of the evidence
• Reporting on the findings of the analysis
1. Identification
Detecting the incident
• Once you have determined this is not an
event but rather an incident that needs
forensics, you will identify and classify
• The notification can come from:
• Personal complaint
• Monitoring system
• Audit
• IDS/IPS alarm
• Notification from trusted source
2. Collection
Order of volatility
1. CPU, cache, and register content
2. Routing table, ARP cache, process
table, and kernel statistics
3. Memory
4. Temporary file system/swap space
5. Data on hard disk
6. Remotely logged data
7. Data on archival media
8. Witnesses
2. Collection
Use a variety of tools
• Forensic toolkits (EnCase from
Guidance)
• Write-blockers
• Utilities
• tcpdump
• dd
• nbtstat and netstat
• nc (Netcat)
• memcopy
• tshark
• foremost
dd
• Write disk image files to memory cards and removable storage
• Often used for flashing IMG files to SD cards
• Create bootable USB stick from ISO files of Linux installations
• Backup and restore IMG files to memory card and disk
• Install and restore compressed disk image files on the fly
• Supported file formats: IMG, ISO, Zip, GZip, and XZ
• Backup and compress disk image files to significantly reduce the file size of backups
2. Collection
Handle the evidence properly
• Imaging technologies (create copies)
• Memory dumps
• HDD bit-level copy, sector by sector
• Includes deleted files, slack spaces,
and
unallocated clusters
• Write-blockers
• Look for encrypted volumes and files
• Digital pictures
• Interviews
2. Collection
Maintain chain of custody
• Strict and organized procedures for
collecting and tagging evidence (no
exceptions)
• Provide a history of the handling of
the evidence
• Maintains evidence integrity
• Provides accountability
• Prohibits tampering
• Follows evidence through entire life cycle
Chain of Custody Steps
1. Record each item collected as evidence
2. Record who collected the evidence along with the date and time it was collected or recorded
3. Write a description of the evidence in the documentation
4. Put the evidence in containers and tag the containers with the case number, the name of the
person who collected it, and the date and time it was collected or put in the container
5. Record all message digest (hash) values in the documentation
6. Securely transport the evidence to a protected storage facility
7. Obtain a signature from the person who accepts the evidence at this storage facility
8. Provide controls to prevent access to and compromise of the evidence while it is being stored
9. Securely transport the evidence to court for proceedings
Chain of Custody Documentation
2. Collection
Media management
• Should have a software inventory
system for configuration items and a
category for components removed for
investigative and forensic purposes
• Collected media (all types) must be
classified and labelled
• Secure storage facilities with dual
operators include
• Locked rooms
• Locked cabinets
• Safes
• Offsite storage facilities
3. Examination
Extract and examine the evidence
with a witness
• Use the copies, not the original
• Create hashes for integrity
• Maintain Chain of custody
• Use tested techniques for:
• Validation
• Filtering
• Pattern matching
• Hidden data discovery and extraction
• Tracing
4. Analysis
Building your incident picture

• Answering the who, what, where,

when, why, how?
• Infer motive, opportunity, means
• If more information is needed, then
iterate back to collection and
examination
• Involves an art and a science
• Use expert judgment of others
5. Reporting
Communicating results
• Meet with proper authorities
• Provide documents of all findings
• Offer expert testimony
• Provide any needed clarification
• Identify overall impact on business
• Recommend any countermeasures
• Track people hours and expenses
• Who, what, when, how – important
for court and other proceedings