Ryan Benson - SANS Institute · Q What types of things do you look for during an investigation? R...
42
Ryan Benson
Transcript of Ryan Benson - SANS Institute · Q What types of things do you look for during an investigation? R...
Ryan Benson
Efficiently Summarizing Web Browsing Activity
Ryan Benson
An overview can save time before an in-depth investigation
#DFIRBrowser Investigations Survey
Q How many devices do you investigate each month?
Lessthan 5
5 - 10 11 - 20 20 - 39 40 ormore
0%
10%
20%
30%
40%
50%
Lessthan 5
5 - 10 11 - 20 20 - 39 40 ormore
0%
10%
20%
30%
40%
50%
All Investigations Browser History Investigations
Q How many devices does each person have?
Onecomputer
One mobile Onecomputer &one mobile
Multiplecomputers
Multiplemobiles
Multiplecomputers &
mobiles
0%
10%
20%
30%
40%
50%
Q How much time do you spend reviewing browsing history per device?
Under 15 minutes 15 minutes - 1hour
1 - 2 hours Over 2 hours
0%
10%
20%
30%
40%
Investigation Time vs Device Workload
Under 15 min 15 min - 1 hour 1 - 2 hours Over 2 hours
Less than 5 5% 5% 7% 7%
5 - 10 3% 19% 14% 14%
11 - 20 2% 9% 9% 3%
20 - 39 0% 2% 0% 2%
Over 40 0% 0% 0% 0%
De
vice
s p
er M
on
th
Investigation Time
- Utilize visualizations to reveal trends & patterns
An overview can save time before an in-depth investigation
Synopsis
https://github.com/ExabeamLabs/Synopsis
Q How do you find things of interest?
Keyword search(custom to case)
Keyword lists(generic terms)
Timeline - startingfrom a known point
Review it all,line by line
Other
0%
25%
50%
75%
100%
Overall Timeline
Q How often do you perform each type of review?
Review Type < 5% 5% - 34% 35% - 64% 65% - 95% > 95%
Quick search, looking for activity
on one particular website12% 34% 16% 21% 17%
Review activity on a handful of
websites/web apps 11% 18% 33% 19% 19%
Review images for inappropriate
content40% 21% 17% 9% 14%
Look for potential compromises 17% 19% 19% 22% 22%
Comprehensive, line by line review
of activity43% 22% 16% 9% 10%
Domain Sparks
Heatmap
Word Cloud
Q How often do you find these types of info?
Information Type < 5% 5% - 34% 35% - 64% 65% - 95% > 95%
"Smoking gun" - explicit evidence of a
pertinent activity5% 26% 45% 21% 3%
Bad activity - not what you were looking for
initially, but some kind of inappropriate action10% 29% 26% 31% 3%
Supporting data - not conclusive by itself, but
useful supporting information2% 12% 50% 22% 14%
Only non-relevant data - nothing useful for the
investigation was found on that device21% 43% 24% 5% 7%
- Automate answers to common questions
An overview can save time before an in-depth investigation
- Utilize visualizations to reveal trends & patterns
Q What types of things do you look for during an investigation?
Responses
Search engine queries 90%
Email accounts 69%
Cloud storage activity 69%
Social Media / Messaging activity 59%
Illegal Activities 50%
Images 45%
Evidence of other owned devices 41%
Other (please specify) 21%
Investigation Target
Search Engine Queries
https://www.google.com/search?q=browser+forensics&ei=rtUOW6zwK6ms0gLopK2ACQ&start=10&sa=N&biw=2560&bih=1366
Q What types of things do you look for during an investigation?
Responses
Search engine queries 90%
Email accounts 69%
Cloud storage activity 69%
Social Media / Messaging activity 59%
Illegal Activities 50%
Images 45%
Evidence of other owned devices 41%
Other (please specify) 21%
Investigation Target
Extracted Accounts
Saved Logins
Autofill
Extracted from browsing history
Q What types of things do you look for during an investigation?
Responses
Search engine queries 90%
Email accounts 69%
Cloud storage activity 69%
Social Media / Messaging activity 59%
Illegal Activities 50%
Images 45%
Evidence of other owned devices 41%
Other (please specify) 21%
Investigation Target
Synced & Discovered Devices
Discovered Devices(from Media Router Extension)
Synced Devices (from SyncData.sqlite3)
Media Router
{
"id":"rzHno-iMB…",
"ip":"192.168.1.8",
"port":8009,
"friendlyName":"TV",
"modelName":"BRAVIA 4K GB",
"capabilities":5,
"discoveredByDial":false,
"appStatusMap":{}
}
LocalStorage -> Chrome Media Router (pkedcjkdefgpdelpbcmbmeomcjbeemfm)
Q What is the technical level of your typical audience?
Technical Level Responses
Advanced (DFIR) 29%
Technical, but unfamiliar with space (IT) 47%
Non-technical, but familiar with space (HR) 53%
Non-technical, unfamiliar with space (layperson) 36%
Q How to do communicate your findings?
Method Responses
Informally – email or conversation 40%
Update a ticket / case management 29%
Written report – for an internal audience (team
lead, HR, manager, etc) 64%
Written report – for an external audience
(consulting client, lawyer, etc)48%
Affidavit, deposition, or other legal/court-related
method22%
- Provides starting point for final report
An overview can save time before an in-depth investigation
- Utilize visualizations to reveal trends & patterns
- Automate answers to common questions
NTNU Tidal Investigation
Writing Guides
https://zeltser.com/writing-tips-for-it-professionals/
Lenny Zeltser’s Technical Writing Tips for IT Professionals
- Utilize visualizations to reveal trends & patterns
- Automate answers to common questions
- Provides starting point for final report
An overview can save time before an in-depth investigation
Q
