Application Security Architecture Authentication
CertificationsCorporate ComplianceCryptology
Disaster RecoveryEnterprise SecurityExploits
FirewallsIncident HandlingIntrusion Detection
OS SecurityPolicies and ProceduresSecurity Basics
Security ManagementSecurity ToolsServers
StandardsVoIPVulnerability Management
Web SecurityWiFi SecurityWorms and Viruses

Beats & Bytes: Striking the Right Chord in Digital Forensics (OR: Fiddling with Your Evidence)

by Ryan D. Pittman, Cindy Murphy, and Matt Linton

This paper will present results from a recent survey of DF/IR professionals and seek to provide relevant observations (together with published psychological, sociological, and neurological research) to discuss the similarities and intersections of DF/IR and music, as well as identify potential correlations between being a successful DF/IR professional and playing music. It will also discuss numerous challenges facing DF/IR professionals today and how learning to play and enjoy music can help DF/IR personnel both overcome some of those challenges and be more effective in their chosen field.
» Read more

Forensicating Docker with ELK

by Stefan Winkel

Docker has made an immense impact on how software is developed and deployed in today’s information technology environments. The quick and broad adoption of Docker as part of the DevOps movement has not come without cost. The introduction of vulnerabilities in the development cycle has increased many times. While efforts like Docker Notary and Security Testing as a Service are trying to catch up and mitigate some of these risks, Docker Container Escapes through Linux kernel exploits like the recent widespread Dirty COW privilege escalation exploit in late 2016, can be disastrous in a cloud and other production environments. Organizations find themselves more in need of forensicating Docker setups as part of incident investigations. Centralized event logging of Docker containers is becoming crucial in successful incident response. This paper explores how to use the Elastic stack (Elasticsearch, Logstash, and Kibana) as part of incident investigations of Docker images. It will describe the effectiveness of ELK as result of a forensic investigation of a Docker Container Escape through the use of Dirty COW.
» Read more

The Efficiency of Context: Review of WireX Systems Incident Response Platform

by Jerry Shenk

WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.
» Read more

Best Practices in Mobile Phone Investigations

The field of mobile phone investigation has grown exponentially in recent years. The number of cell phones investigated each year has increased nearly tenfold over the past decade. Courtrooms are relying more on the information inside a cell phone as vital evidence in cases of all types.

Despite that, the practice of mobile phone forensics is still in its relative infancy. Many digital investigators are new to the field and are in search of a simple book that could be titled Phone Forensics for Dummies.

Unfortunately, that book is not available yet—so investigators need to look elsewhere for information on how to best tackle cell phone analysis. This article can help—although by no means should it serve as an academic guide. It can, however, be used as a first step to help an investigator gain a basic understanding in the area.
» Read more

A Proactive Approach to Incident Response

Any incident response has two components that drive overall cost:
1. How long does it take to detect the intrusion after the attackers first gain access?
2. Once detected, how quickly can the incident be remediated?
Finding a solution that addresses both questions with satisfactory answers is the job of any organization that cares about saving costs and protecting data. In today’s security environment, though, separating the important signal from the noise is one of the bigger challenges incident responders face.
» Read more