/proc for Security Analysts: Unveiling Hidden Threats and Forensic Treasures BSides Munich 2024

/proc for Security Analysts: Unveiling Hidden Threats and Forensic Treasures
.ical

2024-11-11 10:30–11:00, WestIn - Partenkirchen

In the intricate landscape of cybersecurity, the ability to uncover hidden threats and analyze system behaviors is paramount.

The /proc filesystem, a critical component of Unix-like operating systems, serves as a treasure trove of real-time data and system information. In this talk, "/proc for Security Analysts," will delve into the forensic value of /proc, demonstrating how it can be leveraged to detect rootkits, uncover anomalies, and gain a profound understanding of the operating system.

Participants will learn how to navigate and interpret the vast array of data within /proc, equipping them with the skills to enhance their security analyses and bolster system defenses.

1. Introduction to `/proc`

Overview of the /proc filesystem
Importance of /proc in system administration and security
Key files and directories: /proc/cpuinfo, /proc/meminfo, /proc/net/, /proc/[pid]/

2. Forensic Value of `/proc`

Real-time system and process information
Carving out deleted executables

3. Detecting Rootkits with `/proc`

Understanding rootkits and their behaviors
Common techniques rootkits use to hide
Using /proc to reveal hidden processes and files
- /proc/[pid]/exe and /proc/[pid]/cwd
- /proc/modules
- /proc/net/tcp and /proc/net/udp
Tools and scripts for rootkit detection using /proc

4. Learning the Operating System with `/proc`

Kernel parameters and tunables: /proc/sys/
Process management and signals: /proc/[pid]/
Network stack and interfaces: /proc/net/
Filesystem /proc/mounts

5. Practical Applications and Case Studies

Real-world examples of security incidents uncovered through /proc
Case studies demonstrating successful rootkit detection and removal

Stephan Berger

Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.

Asger Strunk

Asger Strunk is a highly skilled IT security professional with a wealth of experience spanning over a decade. Throughout his career, Asger has been involved in both offensive and defensive security operations, working tirelessly to protect individuals and organizations from cyber threats. His expertise in incident response is second to none, and he has an unwavering commitment to ensuring his clients are protected at all times. Currently, Asger is employed full-time by a leading Swiss cyber security company, where he specializes in incident response and brings a level of expertise that is unmatched in the industry.

/proc for Security Analysts: Unveiling Hidden Threats and Forensic Treasures .ical 2024-11-11 10:30–11:00, WestIn - Partenkirchen

1. Introduction to /proc

2. Forensic Value of /proc

3. Detecting Rootkits with /proc