Post on 12-Apr-2017
The 3rd FIOS(F-INSIGHT OPEN SEMINAR)
Resurrect the System and Services: 죽은 서비스도 살리는 포렌식 기술
ykei
@ykx100
forensicinsight.org Page 2
목차
1. Cold or Hot Evidence
2. Resurrection
3. Chain of Custody
forensicinsight.org Page 3
Cold or Hot?
forensicinsight.org Page 4
Cold or Hot Evidence
Top Class Forensic Scientist
forensicinsight.org Page 5
Cold or Hot Evidence
One of Top Class Forensic Scientist
forensicinsight.org Page 6
Cold or Hot Evidence
Meet
The bruised body
One of Top Class Forensic Scientist
with breath
forensicinsight.org Page 7
Cold or Hot Evidence
U Remember?
Specialized at dead body
forensicinsight.org Page 8
Cold or Hot Evidence
forensicinsight.org Page 9
Cold or Hot Evidence
Now He got the cold body
as his wish
Is it fair?
forensicinsight.org Page 10
Cold or Hot Evidence
Digital Evidence?
forensicinsight.org Page 11
Cold or Hot Evidence
Have you ever like this?
forensicinsight.org Page 12
Cold or Hot Evidence
Same Cold EV.
forensicinsight.org Page 13
Cold or Hot Evidence
But,Benefit of live forensics
Short way to extract
Quick response
Seize the live data
forensicinsight.org Page 14
Cold or Hot Evidence
Increased size, complexity of Data
Hard to find evidence
forensicinsight.org Page 15
Cold or Hot Evidence
Still, u
wanna kill
the hot &
take the
cold body
for analysis?
forensicinsight.org Page 16
Cold or Hot Evidence
Stop pulling the plug
forensicinsight.org Page 17
Cold or Hot Evidence
Boooooring… I know that, already
forensicinsight.org Page 18
Cold or Hot Evidence
Someone killing the hot body
Mistake
Wrong decision
Bad Situation
forensicinsight.org Page 19
Cold or Hot Evidence
If someone give you the shit,
forensicinsight.org Page 20
Resurrection
forensicinsight.org Page 21
Resurrection
Unified Log Monitor System
Pulled the plug and Imaging the Disks
Can you export the all log from DB?
Where is the start point?
Here is shit…
forensicinsight.org Page 22
Resurrection
Resurrect System
forensicinsight.org Page 23
Resurrection
Virtual mount disk image files
forensicinsight.org Page 24
Resurrection
Check the Kernel version information
forensicinsight.org Page 25
Resurrection
Check Filesystem information
forensicinsight.org Page 26
Resurrection
Make the VM with mounted disk
forensicinsight.org Page 27
Resurrection
Now boot,
Meet the kernel panic
So I present this now :)
forensicinsight.org Page 28
Resurrection
Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]
forensicinsight.org Page 29
Resurrection
Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]
forensicinsight.org Page 30
Resurrection
Physical Driver to Virtual [ /etc/modprobe.conf ]
forensicinsight.org Page 31
Resurrection
Check disk order [ fdisk –l ]
forensicinsight.org Page 32
Resurrection
Check original mount point [ /etc/fstab ]
forensicinsight.org Page 33
Resurrection
Fix the raid bug [ /etc/grub.conf ]
forensicinsight.org Page 34
Resurrection
Grub information update [ grub-install ]
forensicinsight.org Page 35
Resurrection
Update Kernel information [ mkinitrd ]
forensicinsight.org Page 36
Resurrection
Still No Heartbeat of Service
forensicinsight.org Page 37
Resurrection
Resurrect Service
forensicinsight.org Page 38
Resurrection
Adjust network environment [ ifconfig ]
forensicinsight.org Page 39
Resurrection
Recovery DB files
forensicinsight.org Page 40
Resurrection
Recovery DB files
forensicinsight.org Page 41
Resurrection
May be It is not good idea…
forensicinsight.org Page 42
Resurrection
But, u can cheating the history :) [ history ]
forensicinsight.org Page 43
Resurrection
Now service is warmed
forensicinsight.org Page 44
Resurrection
Maybe, u need to PW recovery from DB
forensicinsight.org Page 45
Resurrection
But, Is resurrection break the chain?
forensicinsight.org Page 46
Chain of Custody
forensicinsight.org Page 47
Chain of Custody
No, Chain is fine
forensicinsight.org Page 48
Chain of Custody
When is preservation done,
CoC is Start.
forensicinsight.org Page 49
Chain of Custody
Don’t scared, Do hash
For Compatibility : MD5
For Security : SHA256(higher)
forensicinsight.org Page 50
Chain of Custody
But be prepared, always
Guide
Tools for your Environment
Storage for backup
And Hiring the Real Expert
Don’t deceived by crook
forensicinsight.org Page 51
Now, Cold or Hot?
forensicinsight.org Page 52
Conclusion
Virtual Technology is awesome
I can resurrect the cold media
Sometimes, It is very efficient method
forensicinsight.org Page 53
Conclusion
Please reconsidering the pull the plug
Do not send the shit to me
If you give me the shit,I can over that, too.
forensicinsight.org Page 54
Conclusion
Hello, digital media necromancer!
Have u a question?