HTCIA New England Chapter October 26th 2023 Meeting [Virtual]
Thursday, October 26, 2023 (10:00 AM - 1:00 PM)
Summary of topic
Resource-Level Cloud Forensics
Cloud Service Providers, such as AWS, GCP and Azure, often introduce artifacts of forensic value when developing features for automation and monitoring of resources. Typically, these artifacts are undocumented and exist purely for the provider’s own troubleshooting, but they also provide valuable insight to an investigator analysing malicious activity on a system. Frequently, this insight surpasses that of “provider-supported” forensic data sources.
Most of the discourse around performing forensics in the cloud focuses on provider-level logging. While this is undoubtedly useful, practitioners understand that resource-level forensic analysis is crucial when responding to incidents affecting cloud infrastructure - and much of this knowledge remains opaque and undocumented.
In this presentation, Chris Doman, co-founder of Cado Security, will present novel research of undocumented forensic artifacts from cloud service provider specific operating systems and tools. They will provide the audience with an overview of forensic techniques across cloud compute and serverless environments. Native operating system artifacts will also be discussed and contrasted with their cloud equivalents, with consideration given to their usefulness in the context of the cloud.
Monolith Forensics LLC
Neptune, a tool that helps ICAC investigators review CyberTips
Thiago Bordini, Head Cyber Threat Intelligence at Axur, executive with more than 20 years of experience in the cyber intelligence market, working with analysis and prevention of cyber threats and fraud and dissemination of educational content on the subject to professionals and companies. Technical coordinator and postgraduate professor at IDESP. Speaker at several national and international events such as YSTS, EkoParty, H2HC, Security BSides, SANS, HTCIA, CoronaCon, 8.8 Andina and Brazil, among others. Member of the HTCIA (High Technology Crime Investigation Association). Member of the Security BSides Sao Paulo/Brazil organization.
Many investigative agents talk about cybercrime on Deep and Darkweb, but in LATAM the reality is a little different. The study shows an insight into how groups act, the main scams and especially how the use of counterintelligence can help in gathering information about targets.
Many investigative agents talk about cybercrime on Deep and Darkweb, but in LATAM the reality is a little different.
Given the lenient legislation, and cyber investigative difficulties, Whatsapp and Telegram are now part of the largest network for fraud-related activity and other illicit activities in the country.
Today it is possible to buy counterfeit notes, machines infected with banking trojan, phishing campaigns, orange accounts, credit cards, internet banking access data, personal documents such as RG, CPF (Social Number), CNH (Drive License), Birth Certificate among others, database, pay TV, payment of bills and taxes, drugs, among other "products and services".
The proof of concept presented in this study demonstrates how simple counterintelligence techniques can be great allies in investigative processes.
The study presents a strategic analysis on the main illicit actions mapped, payment methods used, amounts involved, among other issues, from the technical point of view will be presented the counterintelligence techniques adopted during the study phase, the effectiveness of each of them, as well as technical indicators such as VPN providers used, cloud providers, among other aspects.
The result includes a broad analysis performed through counterintelligence techniques, where it was possible to map the main Techniques of OPsec employed by the attackers, which operating systems used, providers, geographic region among other information that will be presented during the lecture.