Secure Data Collection and Transfer Infrastructure for DFIR Analysts
Explore a dynamic forensic evidence collection infrastructure presented at BSides Seattle 2024, designed to securely receive untrusted data from the internet while ensuring compliance with legal requests and maintaining data integrity. Discover the cloud infrastructure overview and strategies for securely transferring and accessing untrusted content on demand. Learn from industry experts about building a secure framework for DFIR analysts.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Just-in-time Oubliette: Dynamic Forensic Evidence Collection Infrastructure BSides Seattle April 2024
Who Are We? | Why do you care? JR Aquino Director of Security Operations at Ubisoft Mastodon: Enigma@infosec.exchange Scott Gorlick Security Architect for Power Platform and Dynamics Mastodon: Scottley@infosec.exchange Former Microsoft and Citrix Security Leader Created centralized SUDO for Fedora s FreeIPA FreeBSD port maintainer for Metasploit and UnrealIRCD OpenBSD port maintainer for Nmap Infrastructure security, automation, and investigations Software Engineer, ecommerce, banking, and NMS Telephony/Voice Hardware Verification Testing
USER STORY: As a DFIR Analyst, I need to securely receive untrusted data from the Internet Collecting Untrusted Data 3rd Party on the Internet 1st Party Employees on BYOC / Home Systems Threat Actors complying with legal requests for data Random untrusted data found on the Internet needing an isolated detonation chamber prior to ingestion
Securely Transferring and Accessing Untrusted Content On-Demand (JIT) Infrastructure Write-Only Key used for immutable uploads Read-Only Key used for forensic review of the data Chain-of-Custody Logging for all operations
Cloud Infrastructure Overview Hardened, Auditable, Minimized Dedicated Azure Resource Group Resources tagged w/ Case Number Dedicated Azure Storage Account Azure Private Link Infrastructure Double Encrypted (CMK) Analytics Logs Enabled Immutable Legal Hold Shared Access Signature (SAS) Keys IP Restricted Read-Only Key Write-Only Key Private Networking Private VNET Private DNS Isolated Linux Analysis VM SSH Key Enabled Azure NSG Protected Remote Access Log Analytics Workspace Separate location for telemetry from Azure Services such as: Azure Storage Azure Key Vault Azure Network Service Groups Dedicated Isolated Azure Key Vault IP Restricted Access Key Vault Logging Enabled Protected SAS URI Secrets
Praise be to the Demo Gods Untrusted 3rd Party 1st Party Analyst
Where can I get such wonderful toys?! Deployment Script, Template, and Parameters : https://github.com/scottleyg/SecOpsSamples/tree/develop/EvidenceCollection
Cool Story Bro - How much does something like this cost!? YMMV but TL;DR: Under $100.00 per month **public list prices Azure VM: https://azure.microsoft.com/en- us/pricing/details/virtual-machines/ubuntu- advantage-standard/ Azure Key Vault: https://azure.microsoft.com/en- us/pricing/details/key-vault/ Azure Storage: https://azure.microsoft.com/en- us/pricing/details/storage/blobs/
Reference Documentation Bookmarks Azure Cloud ARM Templates & Deployment Scripts: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview Azure Cloud Shell: https://learn.microsoft.com/en-us/azure/cloud-shell/overview Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli Azure Network Service Groups (NSGs) Just-in-Time (JIT) Remote Access: https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage Azure Storage: Infrastructure Double Encryption: https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable Customer Managed Keys: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure- new-account Shared Access Signatures (SAS): https://learn.microsoft.com/en-us/rest/api/storageservices/create-account-sas Immutable Legal Hold: https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-legal-hold-overview Analytic Logs: https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging Private Endpoints: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints AZ Copy: https://github.com/Azure/azure-storage-azcopy Azure Key Vault Key Vault Firewalling: https://learn.microsoft.com/en-us/azure/key-vault/general/network-security Private Links: https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service Key Vault Logging: https://learn.microsoft.com/en-us/azure/key-vault/general/logging Azure Private DNS https://learn.microsoft.com/en-us/azure/dns/private-dns-overview Azure Log Analytics Workspaces https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview
