TAILs的法医分析.pdf

《TAILs的法医分析.pdf》由会员分享，可在线阅读，更多相关《TAILs的法医分析.pdf（47页珍藏版）》请在三个皮匠报告上搜索。

1、2025 Walmart Inc.All Rights Reserved.SENSITIVE INFORMATION CLASSIFICATIONDoes Slicing Onions Make You Cry Forensic Analysis of TAILs2025 Walmart Inc.All Rights Reserved.SENSITIVE INFORMATION CLASSIFICATIONwhoamiPrincipal Incident Response Engineer Walmart CSIRTNIFA Network Intrusion Forensic Analyst

2、,USSS/NCFIOfficer Portland Police Bureau-Investigative Branch,Forensic Evidence Division,Digital Forensics UnitOpinions are mine NOT my employerAll Data is fake NO real PII is in the data sets.2025 Walmart Inc.All Rights Reserved.SENSITIVE INFORMATION CLASSIFICATIONPresentation OutlineMemory and Fil

3、esystem CollectionMemory and Filesystem AnalysisWhat is Tails and How is it used Illegal ActivitiesIssues examiners face w/systems booted into TAILsConclusion/Q&A2025 Walmart Inc.All Rights Reserved.SENSITIVE INFORMATION CLASSIFICATION2025 Walmart Inc.All Rights Reserved.SENSITIVE INFORMATION CLASSI

4、FICATIONIssues Examiners and First Responders Face Identification=Realizing and understanding that TAILs is running on the PC Encryption Default encryption is LUKS(Linux Unified Key Setup).Think full disk encryption to include the root partition(operating system files)Access Without the administrato

5、r password,you will not have access to the filesystem or root privileges,which can make accessing the filesystem and or collection problematic if not impossible.2025 Walmart Inc.All Rights Reserved.SENSITIVE INFORMATION CLASSIFICATIONIssues Examiners and First Responders Face Persistence Unlike trad

6、itional operating systems,TAILs doesnt offer persistent storage by default.Persistence must be established by the user and is LUKS encrypted by default Volatile Since the TAILs runs only in memory(RAM)the data is volatile and not recoverable after shutdown,hence lacking persistence by default.2025 W