Infosec Blog
  • Infosec
    • Blog
    • Cloud Security
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • Contact

Blog

Self-Assessment Questionnaire (SAQ)

2/23/2018

 
 A - Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced
   A-EP - E-Commerce Merchants, Partially Outsourced 
   B- Imprints Machine Only- No Electronic Card Storage, Standalone, Dial out Terminal. Data not Transmitted
    B-IP-  Merchant using only PTS Standalone Payment Terminal with an IP Connection to a Payment Processor . PTS- Approved Point of Interaction Device. Data Transmitted via IP
     C-VT - Merchants who manually enter a single transaction at a time via Keyboard into a Internet based Virtual Terminal.
       C- Merchant with Payment Application Systems connected to Internet, No Electronic Card Data Storage.
   D - Merchant & Service Provider not Included in above description

Quaterly To-Do PCI List

2/23/2018

 
- Password Reset: Users passwords/passphrases should be changed every 3 months (Minimum)
- Check for Wireless access points: must implement a process to test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points 
-
An audit trail history should be available immediately for analysis
​

PCI DSS Appendix

2/23/2018

 
PCI DSS Appendix A: Shared hosting providers

Good to Know about Payment Card Industry

2/23/2018

 
Methods for stealing payment card data include:
- Skimming
- Malware

- Weak Password

Sensitive authentication exists in the magnetic strip or chip, and is also printed on the payment card. In a credit card- there are two tracks with 79 and 40 Characters.

Payment Card Flow
Authorization, Clearing, Settlement, Undo (If Needed)

What are the 12 PCI Requirements

2/23/2018

 

  1. Have Firewall
  2. No Defaults
  3. Protect Stored Data
    1. Hashing the entire PAN using strong cryptography while transferring
  4. Encrypt Transmission of Data over network
  5. Have Antivirus
  6. Develop and Maintain Secure System and applications
  7. Restrict access to card holder data - Role based access control.
    1. Restrict access to cardholder data by business need-to-know
  8. Assign a Unique ID to each person with computer access
    1. A digital certificate is a valid for "something you have" as long as it is unique for a particular user.
    2. ​Identify and authenticate access to system components
  9. Restrict Physical Access to Card Holder Data
  10. Track and Monitor all access to cardholder data and networks resources 
  11. Test Regularly
  12. Have a policy
    1. Information Security Policies must be reviewed/updated Yearly to meet requirement.

Infosec - Weblinks

2/19/2018

 
Cyber Threat - Real Time Map
https://cybermap.kaspersky.com
http://hp.ipviking.com/
​

How to hide name and computer name from the terminal

2/18/2018

 
echo "export PS1='$ '" >> ~/.bash_profile

How file gets stored in HDFS

2/18/2018

 

  • Image a big text file
  • File is broken up into several blocks of data(Chunks).
  • each block is stored in different node in a cluster
  • Advantage of doing this 
    • Each block is of equal size. Allows HDFS to deal with bigger files in the same way. 
    • Makes storage in simple. 
    • Only keep multiple copy of block not the whole file in different node. 
    • Always dealing with same about of data - Good for processes and equal processing time
  • Optimum block size is 128 MB
  • Namenode contains mapping of blocks in datanode

Components of Hadoop Distributed file System (HDFS)

2/18/2018

 

  • HDFS is a spread across multiple machines (Simple with commodity Hardware)
  • Nothing unique about individual machine but unique part is a cluster as a whole is highly fault tolerant 
  • Well Suited for large Batch Jobs
  • Not a low latency system
  • Data is HDFS is very very large (Semi-Structured)
  • Any data in HDFS in split across multiple disks where each disk in present on a diff machine in a cluster
  • File system manage machine and space
  • Setup by Master-Salve Nodes
  • Master Node (Name Node) coordinates with Slave Nodes(Data Node)
  • One Namenode/Cluster
  • For Example - Name note is like a table of content of a book and data node are the actual chapters
  • NameNode has 2 responsibilities 
    • Manage the overall file system
    • Stores (Directory Structure)
    • Other File metadata
  • DataNode
    • Physically stores the data 

How to Store Bash output in a Variable?

7/22/2017

 
token=$(command)
echo "$token"
test=$(cat test.txt)
echo $test

Identify a Process and Kill it

7/1/2017

 
  1. Find out what Process ID (pid) is using the required port (e.g port 5434).
    ps aux | grep 8080
  2. Kill that process:
    kill -9 <pid>

MAC Timeline Analysis

6/5/2017

 
In this article, I am going to talk about basic forensic time analysis procedure:
  1. Identify the partition in an image using mmld <filename> command. Don’t forget to make a note of start sector of the partition.
  2. Identify the type of filesystem is has using fsstat -o <start sector> command.
  3. List all the files including deleted files by name using this command :fls -o <offset> -f <filesystem> -m “/“ -r <filename>  > flsbody
  4. What if the deleted file does not have a name- use this command ils -o <offset> -f <filesystem> -m   <filename>  > ilsbody

Linux- Forensics Commands

6/5/2017

 
  • uptime - it tell you how long the system has been up. In case of system compromise, it’s a handy command.
  • uname - a : OS, Filesystem information
  • ifconfig - network configuration, look for IP address and is it in promisc mode or not.
  • netstat -at : Shows TCP Connection 
  • lsof: List open files and gives you open network
  • lsof +L : list recently deleted files.

Antedating

5/31/2017

 
Antedating: Creating a document with incorrect time stamps.
Investigation:
  • Analyzing the metadata of the document to get the baseline information is the first step.
  • Secondly, perform a comparative analysis of the metadata of all the documents under the investigation.
  • One might get some important information from the source machine. Analyze the event logs if it's a windows machine.
  • Look for the email headers if the document is shared via email.
  • Use basic common sense in analysis by looking and the OS and the release date of the extension.

How to antedate a document?
  • Use Software to change the metadata.
  • Changing the computer time before creating an electronic document is another method of antedating, as the metadata for the newly created electronic file will be based on the incorrect setting of the system.

Readings:
http://www.cse.scu.edu/~tschwarz/COEN252_13/Papers/antedating.pdf
​

Reading

5/24/2017

 
​http://www.theglobaldispatch.com/digital-forensics-and-the-fbi-how-todays-tech-will-help-solve-hillarys-email-investigation-55389/

Things you'll lose after turning off suspect computer?

5/23/2017

 
Let me try to list down some of the things that a Incident response team will lose volatile data if they turn off the suspect's machine.
1) Logged in Users
2) TCP Connections
​3) Running Processes

Network Forensics

5/12/2017

 
​Network Forensics: It’s basically sniffing, recording, acquisition, and analysis of network traffic and event logs in order to investigate security.
It can reveal many things like, Source of security incidents and attacks, Path of attack, Techniques used by attacker.
Types of network addressing scheme:
  • Lan Addressing: Each node of a LAN has a MAC address. Data packets are directed to either one of the nodes or all notes.
  • Internet addressing: Internet address is a combination of network and node address. IP is responsible for network layer addressing in the TCP/IP protocol.
What is IDS?
Intrusion detection System gathers and analyzes information.
Types:
  • Network based: It’s a black box places in a network, listening to the pattern in a indicative way.
  • Host Based: Includes auditing the events that occur on a specific host.
  • Log File monitoring: Parse log file after events has already occurred.
  • File Integrity Checking: Checks for Trojan Horses or files.
Honeypots:
As name suggest, it’s set to attract and trap people.
Network Attacks:
IP Address Spoofing: Attacker changes his/her IP address to hide identity.
Man in the middle attack: It’s intrudes into an existing connection between systems and to intercept messages being exchanged.
Packet sniffing: An attacker can capture the packet by putting a packet sniffer on the network.
Buffer Overflow: Buffer overrun in the stack space. Attacker inject malicious code on the stack and overflows it to overwrite in return pointer so that the flow of control switches to the malicious code.
New line injection attack: Attacker inject plaintext into the log file.

Logs and event co-relation

5/11/2017

 
Computer Security logs – contains information about events in an organizational and network
  1. OS Logs -  Logs of OS for server, workstation and network device
i.Event logs: Operational Action by OS
ii.Audit Logs: Security event information like failed auth, file access, policy changes, account changes
  1. Application Logs: All events logs by Program, email server, database server.
  2. Security Logs: Logs of network host based security software log like antivirus logs and all security related logs.
Router log file:
  • Store logs in router cache
  • Detailed info about the network traffic
Honeypot logs:
  • Logs from Honeypots are considered as suspicious
  • The honey pot admin is the only authorized user.
Application Logs: Application logs store event messages recorded by windows application.
Popular Event ID’s
  • 528 – Successful Logged on to an account
  • 531 Logon attempt made by disable account
  • 532 – Expired account
Port number:
UDP Port 123- NTP
Event Correlation Approaches:
  • Graph Based:
  • Netural Network based
  • Codebook-based
  • Rule based:
  • Field-Based:
  • Automated Field:
  • Payload Correlation:
Types of Correlation:
  • Same Platform Correlation
  • Cross Platform Correlation

Stegnography Basics

5/10/2017

 
What is Steganography?
Hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of the data.
Example: Popular method is hiding a file inside an image or using image file as a cover.
http://www.wikihow.com/Hide-a-File-in-an-Image-File
Techniques:
  • Substitution Techniques
  • Transform Domain Techniques
  • Cover Generation Techniques
  • Spread Spectrum Techniques
  • Distortion Techniques
  • Statistical Techniques
Classification:
Technical Steganography:
Uses physical and chemical means to hide the existence of a message.Example – Invisible ink, Microdots, In Computers (Uses redundant information in pictures, text, sound etc)
Linguistic Steganography:
Uses written natural language to hide the message in the carrier in some non-obvious ways.
  1. Semagrams – Uses visual symbols or signs. Further classified into visual(Eg Doodles) or Text semagrams (small changes in font size, color etc)
  2. Open codes – Hide in a specifically designed patter – unclear to the normal user.
    1. Jargon Code- Only a group of people  can understand
    2. Covered Ciphers (Null Ciphers and Grille Cipher): Hidden openly in the carrier medium.

Windows Forensics Basics

5/10/2017

 
Windows Forensics:
Cache Memory and History Analysis:
IE:
  • Content.IE5 Files – Temporary internet files
  • AppData Folders – Contain Cookies
  • History Folder
IE Cookies View Tool – for Analysis
Firefox:
Md5 Hash
  • 32 digit -128 bit Message digest
  • Non collision resistant
  • Checks the integrity of the tool
Recycle Bin:
  • File is deleted – Sub Directory is created
  • Recycler
  • Remember Convention for Recycler <Drive Name – Hash>
  • Info2 contains the records related to the data.
Restore Points:
  • RP.Log filename
Change.log.x files
  • Format: Axxxxx.ext
  • X is sequence number and ext is extension of the file.
Prefetch:
  • Prefetch files leaves traces and can collect data from it.
Shortcut Files
  • Use .lnk files
File Signature Analysis:
  • Collect information from first 20 bytes of a file
  • Mac Time Stamp: Modification, Access and Change time. Managed by OS  in UTC Format
Static Analysis
  • You’ll not open the file- Just open it in some application and review the data.
Dynamic Analysis:
  • You'll execute the file in order to analyze it.
  • Create a Test Environment and Process of Testing malware
Meta Data investigation:
  • Data about data
  • Descriptive Metadata
  • Structural Metadata
Windows Events:
  • Logs Day to day  Events
  • Event log maintains this data.
  • Command – wevtutil
  • Events files are databases- related to System, Security and Application
  • Storage location: SysEvent.evt
Popular event ID:
  • Event ID 4902 – Modification of Audit Policy
ISS Log:
  • Exyymmdd.log
  • Ex refers to extended format
DHCP Server Logs:
  • Format
Firewall Logs:
                Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
  • Password is stored in HASH format
LMNAM –it’s outdates
NTLM V2 is the latest version used by windows:
Sigverif:  Shows unsigned drivers
  • CurrPorts – Similar to NetStat -a

 
 
​
<<Previous
Forward>>

    Mac Forensics
    Windows Forensics
    Forensic Tools

    Categories

    All
    Attack
    Bash
    Bigdata
    Corporate
    Ctf
    Data
    Digital Forensics
    Docker
    EDR
    Forensics
    Hacking
    Hadoop
    HDFS
    Health Care
    Linux
    Memory
    Network
    Network Forensics
    PCIP
    SQL
    Windows
    Wireshark

    Archives

    January 2023
    October 2019
    September 2019
    July 2019
    June 2019
    May 2019
    March 2019
    April 2018
    March 2018
    February 2018
    July 2017
    June 2017
    May 2017
    November 2015
    October 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    RSS Feed

  • Infosec
    • Blog
    • Cloud Security
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • Contact