ࡱ> ( / 00DTimes New RomanL7bb0bWo 0DArialNew RomanL7bb0bWo 0" DAtlantic InlineL7bb0bWo 0R0DMarlett InlineL7bb0bWo 0d.  @n?" dd@  @@`` z H!,**  1ANq*& 8 0e0e     A@  A5% 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||S"pf)))@{A0ʚ;2Nʚ;g4gdgd0bppp@ <4!d!d 0bM7b<4dddd 0bM7b <4BdBd4b. 0bb? %= Honeytraps as Forensic Tools Yanet Manzano Structure $ Introduction $ CNF Overview $ Honeytraps Overview$ Honeytraps Overview$Why not used for forensics?$ Honeytraps as Forensic Tools$ Honeytraps as Forensic Tools$Honeytraps as Forensic Tools$ Main IDEA $ Main IDEA $ Main IDEA $ Main IDEA $ Main IDEA $P&S Connections$ Parallel Architecture$Parallel Forensic Model$Parallel Forensic Investigation $Serial Architecture$Serial Forensic Model$Serial Forensic Investigation$ Conclusion $ ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@   " @ ` n?" dd@   @@``PR    @ ` ` p>> 6.(    67 P 7 T Click to edit Master title style! !  07  7 RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  0 7 `` 7 X*  0p7 `  7 Z*  07 `  7 Z*Z  Bvd޽h @ ? ̙33 Default Design 2*0(  ~  s *7p 7 r  S 7 `   7   6M  ^$ xB  BD)?"  6 0 ^$ xB  BD)?"00B  s *޽h ? ̙33  ia (   ~  s *Y     0@  a Introduction Background Computer and Network Forensic Honeytraps Why have honeytraps not being used for forensic Honeytraps as Forensic Tool Two Architectures Serial Parallel Conclusion V22 222242222422 22 22 222222 224 VxB  BD)?"B  s *޽h ? ̙33  NFp(     0(     05"6p @t Whitehats against Blackhats Action-Response-Reaction cycle evolved into CNF Gathering evidence is at the heart of CNF CNF has two sides to assess the impact of the malicious or suspect act or acts, sufficient damage must be shown to gather information that legally binds the act or acts that caused the damage to the actual perpetrator. .22d2222n2222#} d  n  xB  BD)?"B  s *޽h ? ̙33f  `(     0 J   h  0+   CNF vs. main stream computer and network security techniques Traditionally security efforts have been gear tours prevention, protecting resources and information CNF for the most part has been an after-the-fact process, concerned with gathering information about attacks and perpetrators Forensic experts must have investigative, legal, and computing skills Forensic experts may be hired by Insurance companies, and also Individuals"22 xB  BD)?"B  s *޽h ? ̙33  P M(      0   xB  BD)?"  <0) ?"@ < Honeytraps  ,  < ?" P  <$   Bk ?"@   systems designed to be compromised no real valuable data or information. main goal: to capture and analyze data in order to learn about the blackhat community 22 'B  s *޽h ? ̙33K     @ < (  < <  0c<$D 0   xB < BD)?" < <Pe ?"@ < Honeytraps  , < <`i ?" P  <$   < BTʊ ?"p ,$D 0 #host systems that attract intruders to enter the host by emulating a known vulnerability modified production systems that create caged environments where the actions of intruders can be carefully monitored and documented  T  < B͊ ?"  ,$D 0 :a network of interconnected production and honeypot nodes.;;  :* jl @   <@ ,$D 0 < <8 ?"@ ,$D 0 ; Honeypots  $ < < ?"   ; Honeynets  $B  <B <D?" `,$)))D 0zB  < <D?" p0B < s *޽h ? ̙33p   0(     0   r  0J0fL  v Not their main goal Legal Issues: No valuable data No a real system No real users Entrapment Privacy ^122D22221 F ZxB  BD)?"B  s *޽h ? ̙33b    $(  $ $  0ڊ   d $ 0ۊ`P : An early effort to systematically connect CNF and security was given in  Policies to Enhance CNF Extended the scope of CNF policies and techniques that could be implemented before an attack occurred that would facilitate the CNF effort both during and after malicious or suspicious activity occurred Our Paper: a revolutionary extension of that idea based on using independently implemented systems to gather information that will enable CNF experts to put computer criminals that attack production systems into jail222252222 5  >xB $ BD)?"B $ s *޽h ? ̙33,  +(^(  ( (  0    ( 0@ ] Traditional Forensic Model" 22 xB ( BD)?"U F   +( p 2 ( Tȴ(̙1   ;Start  2 ( Tl(̙1  GAttack Underway  ~R ( NG'HI'g   ( Z (̙1?DF  E Attack occurs    ( ZP (̙1? C   NLast evidence gathered  ~R  (B NZG H,I fh   ( Z< (̙1?yB  GGather Evidence  2  ( T4Ɗ (̙1i  i NInvestigation Underway  2 ( T (̙1   NInvestigation Complete   ( Z,(̙1? m  GAttack Detected  ~b ( NZGH)IyM ~b ( NGVLH8I0i  ~r ( NG(wHI̠l  h  ( Z(̙1?   HAnalyze Evidence  ~R (B NGڽH{zIڽ  ( Z(̙1? C HVerdict Settlement   ( S tՊ(   D  ~r ( NGeHKjI̠ T! S B ( s *޽h ? ̙33  d~(  d d  0{    d 0D Z Proposed Forensic Model"22 xB d BD)?"x f  + d3 #" N2 d NPd̙1" &0 =Start  2 d Nd̙1n EAttack Underway  xb d HGJHIEG M#  d Tܥ d̙1?f 0!  E Attack occurs    d T d̙1?#$!C* HPresent Evidence  xR  dB HZG#HI#E2  d NL d̙1($H IAnalysis Underway  2  d N d̙1%6+ NInvestigation Complete   d TЄd̙1?oI GAttack Detected  rR d BGH=I$*xR dB HG.HI.& * d Td̙1?$* KVerdict/ Settlement  xr d HGzH[I" u$0 d T$d̙1? u$ GGather Evidence  x d HGHlITtu d Tخd̙1?,&! GGather Evidence   d C d& B  B d s *޽h ?odddd d d d dd ddddddddd ̙33`  ML(  L L  0p   xB L BD)?"   identity 2) A -> tactics 3) A -> tools 4) A-> targets 5) A-> other info F322Q223 Q B L s *޽h ? ̙33Q   h(  h h  0O   xB h BD)?" h < ?"0 \,$ 0 U Honeytrap  $  h <  ?" x CProduction System$E h 0l   Attacked by blackhat A Forensic Investigation: 1) A -> identity 2) A -> tactics 3) A -> tools 4) A-> targets 5) A-> other info F322Q223 Q 6 h 0D   P Attacked by blackhat B Forensic Investigation: 1) Damage report 2) B-> info j32222223   B h s *޽h ? ̙33   ld(  l l  0pڋ   xB l BD)?" l <܋ ?"0 \,$ 0 U Honeytrap  $  l <| ?" x CProduction System$E l 0   Attacked by blackhat A Forensic Investigation: 1) A -> identity 2) A -> tactics 3) A -> tools 4) A-> targets 5) A-> other info F322Q223 Q 6 l 0ԋ   P Attacked by blackhat B Forensic Investigation: 1) Damage report 2) B-> info j32222223    l 0$P p  e'B-> info is a combination of 1-5 from A"(22( B l s *޽h ? ̙33   p*(  p p  0w   xB p BD)?" p <Ly ?"0 \,$ 0 U Honeytrap  $  p < ?" x CProduction System$E p 0   Attacked by blackhat A Forensic Investigation: 1) A -> identity 2) A -> tactics 3) A -> tools 4) A-> targets 5) A-> other info F322Q223 Q 6 p 0   P Attacked by blackhat B Forensic Investigation: 1) Damage report 2) B-> info j32222223    p 0HP p  e'B-> info is a combination of 1-5 from A"(22(   p 0̶@ `  ^ P(B-> identity) < P(A->identity)"!22! B p s *޽h ? ̙33  { t(  t t  08   xB t BD)?" t <x ?"0 \,$ 0 U Honeytrap  $  t < ?" x CProduction System$E t 0   Attacked by blackhat A Forensic Investigation: 1) A -> identity 2) A -> tactics 3) A -> tools 4) A-> targets 5) A-> other info F322Q223 Q 6 t 0p   P Attacked by blackhat B Forensic Investigation: 1) Damage report 2) B-> info j32222223    t 0P p  e'B-> info is a combination of 1-5 from A"(22(   t 08@ `  ^ P(B-> identity) < P(A->identity)"!22!   t 0  IMatch B-> info to 1-5 from A If (enough match) A->identity =B->identity"J22J B t s *޽h ? ̙33   xL(  x x  0Ћ   xB x BD)?"  x 0<̋  = Serial Architecture Forensic Model Forensic InvestigationF 22322 3   x 0h4b ? Parallel Architecture Forensic Model Forensic InvestigationF 22322 3 B x s *޽h ? ̙33/  0@m(  @ @  0P   xB @ BD)?")F @} @ }0 TB @ c $D  TB @ c $D TB @ c $D@TB @ c $DTB @ c $D``B @   EFQvUVWXX?""bBH`T>H; tA+computr1  @ 0, 9 blackhat  dN @ P @   0B  @   EFQvUVWXX?""bBH`T>H; tA+computr1`  B !@   EFQvUVWXX?""bBH`T>H; tA+computr1 : `B "@   EFQvUVWXX?""bBH`T>H; tA+computr1p * `2 #@ 0@ PdN @ P $@  B %@   EFQvUVWXX?""bBH`T>H; tA+computr1`  B &@   EFQvUVWXX?""bBH`T>H; tA+computr1 : `B '@   EFQvUVWXX?""bBH`T>H; tA+computr1p * `2 (@ 0@ P )@ 0 ` CProduction System  *@ 0  } U Honeytrap    B +@  \E`FNQ&UVW))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud"P@c ,@ 0 ‹PM 8Internet  B -@   EFQvUVWXX?""bBH`T>H; tA+computr1P 4 .@ 0tƋ 0 8Firewall  B /@ v EF$QVUVW ##0*`T`T-`TK>;`TJ)`T`T-r9`Tr9r9r9BDr9`T} 4 4 } } }44}}}:4:4}}:@ `@@@@@ 0*`T`T-`TK>;`TJ)`T`T- XSxitowerPJ 0@ 0hʋ@p BPotential Evidence B @ s *޽h ? ̙33.  8.0.HpP*(  P P  0l   xB P BD)?" 'P s *'P̙ `#  FPresent Evidence   (P s *4(P̙  B    )P s *h)P̙_  NInvestigation Complete  2 *P s **P B   2 +P s *`+PX B   2 ,P s *,P I  B   2 -P s *-PA  B   2 .P s *.P 0B  B   2 /P s */P |  B   vR 0P NG8,HI8,_X 1P s *1P̙/O C Attack Occurs   2P s *h]2P̙e0b  GAttack Detected   3P s * 3P̙j GGather Evidence   4P s *4P̙  @    5P s *85P̙D ;Start   6P s *6P̙> GGather Evidence  vb 7P NGnRH]I5 RU$vR 8P@ NGHI? ApR 9P HG6|HI6| ? ' vR :P@ NZGHK?I_' vR ;P NGxHIx*` vb  q^  JAnalysis Underway  2 SP s *@ SP B   2 TP s * TPX B   2 UP s *H UP I  B   2 VP s * VPA  B   2 WP s * WP 0B  B   2 XP s *$ XP |  B   vR YP NG8,HI8,_X ZP s * ZP̙/O C Attack Occurs   \P s * \P̙j GGather Evidence   ]P s *t ]P̙D ;Start   ^P s * ^P̙> GGather Evidence  vb _P NGnRH]I5 RU$vR `P@ NGHI? ApR aP HG6|HI6| ? ' vR bP@ NZGHK?I_' vR cP NGxHIx*` vb dP NZGHI| E vr eP NGHI[| fP s *l fP̙ cHoneytrap Entered     gP s *<-gP̙ p*  JAnalysis Underway   hP s *hP̙p i  WForensic Alert System Activated     jP 0jP̙_  NInvestigation Complete   kP 0kP̙|` NInvestigation Complete   lP s *HlP̙ &r  ;(A)   mP s *"mP̙ 8N  ;(B)   nP s *%nP̙   GAttack Detected   oP 0X)   RResponse Procedure Activated 2 B P s *޽h ?o *P+P0P *P*P7P -P*P8P,P-P9P+P,P:P/P;P.P  1B \ s *޽h ? ̙332  `7|x(  | |  0e   xB | BD)?"4F @  |  TB | c $DP 0 p0 TB  | c $D0 0 TB !| c $D`P @P B "|   EFQvUVWXX?""bBH`T>H; tA+computr1p   #| 0h PT  8blackhat  jT @ P $|# ` @P P B %|   EFQvUVWXX?""bBH`T>H; tA+computr1`  B &|   EFQvUVWXX?""bBH`T>H; tA+computr1 : `B '|   EFQvUVWXX?""bBH`T>H; tA+computr1p * `2 (| 0@ PjT @ P )|# 0 @ P B *|   EFQvUVWXX?""bBH`T>H; tA+computr1`  B +|   EFQvUVWXX?""bBH`T>H; tA+computr1 : `B ,|   EFQvUVWXX?""bBH`T>H; tA+computr1p * `2 -| 0@ P .| 0n P  CProduction System  /| 0r P  U Honeytrap    B 0|  \E`FNQ&UVW))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud"0 S  1| 0v 4  8Internet  B 2|   EFQvUVWXX?""bBH`T>H; tA+computr1  3| 0{ 4  8Firewall  B 4| v EF$QVUVW ##0*`T`T-`TK>;`TJ)`T`T-r9`Tr9r9r9BDr9`T} 4 4 } } }44}}}:4:4}}:@ `@@@@@ 0*`T`T-`TK>;`TJ)`T`T- XSxitowerPp   5| 0\~   BPotential Evidence TB 6| c $D ` TB 7| c $D P @ B | s *޽h ? ̙33A  P%@H3(  H H  0    xB H BD)?"2 H 6t F ,  @  2  H 6y  @  2 !H 6  l  @  2 "H 6   @  2 #H 6d @  2 $H 6, BaP @  2 %H 6L"   @  vR &H NGH`TI}F y 'H 6! F  C Attack Occurs 2  (H 6,%8 F 2  DAttack Expands 2  )H 6X)B}  GAttack Detected(2  *H 6, GGather Evidence(2 vb +H@ NZG+H`Ic  l  ,H 60 F e {  GGather Evidence(2  -H 640 FPresent Evidence 2  .H 67  JVerdict / Settlement 2  /H 6;A/ B 2   0H 6>j  ;Start 2  1H 60B~* j GGather Evidence(2 vb 2H NGi{HI  vR 3H@ NGHkI- pvb 4H NGH IfdgpR 5H HGHI a+ vR 6H@ NZG3HI3} * vR 7H NGxHIxD~" vb 8H NZGHI a vr 9H NGHI w :H 6G) dHoneytrap Entered(2    ;H 68L F   V Production System Compromised(2  H 6X {   WForensic Alert System Activated (2   ?H 6[  \$ Production System on Forensic Alert%(2%  @H 0]@ *  RResponse Procedure Activated 2 B H s *޽h ?@ H&H!H!H+HHH2H#H3H"H#H4H"H5H H!H6H%H7H $H8H H H9H ̙33  @)T (  T T  0݁   xB T BD)?" )T 0ށp% | Two parts: HTFI (honeytrap forensic investigation) Input: information collected on the honeytrap Main Goal: Discover blackhat s identity, methods, tactics, tools, targets, and other info PSFI(production system forensic investigation) Input: evidence collected with the forensic capabilities in place in the production system Main Goal: Produce damage report Secundary Goal: blackhat info 7222212222" *   0  "t >  " B T s *޽h ? ̙33   y q  ` (  ` `  07  7 xB ` BD)?"l eG   `` B,$D 0c ` 07p G  K Parallel Architecture Both systems need to be attacked Independent`22122"  "1",$ ` ` 0 e<  H Serial Architecture More expensive Better Tracking capabilities`22022"  "0", ` H@ ?"  @ SPitfull ` HX ?"  @ ; Advantage B  ` 0̕@0,$D 0 > Security dream system: 100% prevention Problem: not possibleT)2222 '""xB  ` BD)?"` ` A  ` 0tbF@0 ,$D 0 9Solution: CNF friendly system Serial, Parallel structuresX2222""" B  ` 0 i@0,$D 0 > Security dream system: 100% prevention Problem: not possibleT)2222 '""e ` 0o@0,$D 0 kCNF dream system: monitors, and stores information about everything Problem: impractical, almost impossibleJD22(22D"("B ` s *޽h ? ̙33rp@``!$(<5-@GL2y,guW@_%l~ryk0+(  Times New RomanArialAtlantic InlineMarlettDefault DesignHoneytraps as Forensic Tools Structure Introduction CNF OverviewHoneytraps OverviewHoneytraps OverviewWhy not used for forensics?Honeytraps as Forensic ToolsHoneytraps as Forensic ToolsHoneytraps as Forensic Tools Main IDEA Main IDEA Main IDEA Main IDEA Main IDEAP&S ConnectionsParallel ArchitectureParallel Forensic Model Parallel Forensic InvestigationSerial ArchitectureSerial Forensic ModelSerial Forensic Investigation Conclusion  Fonts UsedDesign Template Slide Titles%_= Yanet ManzanoYanet Manzano.12 BZHoneytraps as Forensic Tools+! !!  $!!  $ ! .--Q1-- @"Arial- .2 K Yanet Manzano #.--- !H--- &CN--8JLLJJDFFDD---- $GIIG--&--- !H--- &--8---- $--&--"System-&TNPP &Z՜.+,0    On-screen Showon-s=8 Times New RomanArialAtlantic InlineMarlettDefault DesignHoneytraps as Forensic Tools Structure Introduction CNF OverviewHoneytraps OverviewHoneytraps OverviewWhy not used for forensics?Honeytraps as Forensic ToolsHoneytraps as Forensic ToolsHoneytraps as Forensic Tools Main IDEA Main IDEA Main IDEA Main IDEA Main IDEAP&S ConnectionsParallel ArchitectureParallel Forensic Model Parallel Forensic InvestigationSerial ArchitectureSerial Forensic ModelSerial Forensic Investigation Conclusion  Fonts UsedDesign Template Slide Titles%_+ Yanet ManzanoYanet Manzano  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO) Current User5GSummaryInformation(PowerPoint Document(=DocumentSummaryInformation8$/ 00DTimes New RomanL7bb0bWo 0DArialNew RomanL7bb0bWo 0" DAtlantic InlineL7bb0bWo 0R0DMarlett InlineL7bb0bWo 0d.  @n?" dd@  @@`` z H!,**  1ANq*& 8 0e0e     A@  A5% 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E||S"pf)))@{A0ʚ;2Nʚ;g4gdgd0bppp@ <4!d!d 0bM7b<4dddd 0bM7b <4BdBd4b. 0bb? %= Honeytraps as Forensic Tools Yanet Manzano Structure $ Introduction $ CNF Overview $ Honeytraps Overview$ Honeytraps Overview$Why not used for forensics?$ Honeytraps as Forensic Tools$ Honeytraps as Forensic Tools$Honeytraps as Forensic Tools$ Main IDEA $ Main IDEA $ Main IDEA $ Main IDEA $ Main IDEA $P&S Connections$ Parallel Architecture$Parallel Forensic Model$Parallel Forensic Investigation $Serial Architecture$Serial Forensic Model$Serial Forensic Investigation$ Conclusion $r++=  !"#%&'()*+,-./012346ZOh+'0 `h  Honeytraps as Forensic ToolstYanet ManzanoFoYanet ManzanoFo18eMicrosoft PowerPointc T@@On@`0`g@Grg  1& &&#TNPPD2OMi & TNPP &&TNPP    - "-- !-- "-&G& - &Gy& --iyH-- @"Arial- .12 BZHoneytraps as Forensic Tools+! !!  $!!  $ ! .--Q1-- @"Arial- .2 K Yanet Manzano #.--- !H--- &CN--8JLLJJDFFDD---- $GIIG--&--- !H--- &--8---- $--&--"System-&TNPP &Z՜.+,0    On-screen Showon-s=8