% DO NOT COMPILE THIS FILE DIRECTLY! % This is included by the other .tex files. \begin{frame}[t,plain] \titlepage \end{frame} \begin{frame} \frametitle{DFIR and MISP digital evidences} \begin{itemize} \item {\bf Share analyses and reports} of digital forensic evidences. \item {\bf Propose changes} to existing analyses or reports. \item Extending existing events with additional evidences for local or use in limited distribution sharing (sharing can be defined at event level or attribute level). \item {\bf Evaluate correlations}\footnote{MISP has a flexible correlation engine which can correlate on 1-to-1 value matches, but also on fuzzy hashing (e.g. ssdeep) or CIDR block matching.} of evidences against external or local attributes. \item {\bf Report sightings} such as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator). \end{itemize} \end{frame} \begin{frame} \frametitle{Benefits of using MISP} \begin{itemize} \item LE can leverage the long-standing experience in information sharing and {\bf bridge their use-cases} with MISP's information sharing mechanisms. \item {\bf Accessing existing MISP information sharing communities} by receiving actionable information from CSIRT/CERT networks or security researchers. \item {\bf Bridging LE communities with other communities}. Sharing groups can be created (and managed) cross-sectors to support specific use-cases. \item The {\bf MISP standard} is a flexible format which can be extended by users using the MISP platform. A MISP object template can be created in under 30 minutes, allowing users to rapidly share information using their own data-models with existing communities. \end{itemize} \end{frame} \begin{frame} \frametitle{Challenges and implementations} \begin{itemize} \item Standard sharing mechanism for forensic cases \begin{itemize} \item MISP allows for the efficient \textbf{collaborative} analysis of digital evidences \item Correlation on certain attributes \end{itemize} \item Importing disk images and file system data activity (\texttt{Mactime}) \begin{itemize} \item Development of an adaptable import tool: From Mactime to MISP \texttt{Mactime object} \end{itemize} \item Create, modify and visualise the timeline of events \begin{itemize} \item Development of a flexible timeline system at the event level \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Forensic import (MISP 2.4.98)} \centering \includegraphics[scale=0.3]{pics/import.png} \includegraphics[scale=0.3]{pics/import-table.png} \begin{itemize} \item Possibility to import \textbf{Mactime} files [done] \item Pick only relevant files [done] \item \texttt{MISPObject} will be created [done] \end{itemize} \end{frame} \begin{frame} \frametitle{Data visualization (MISP zoidberg branch)} \includegraphics[width=1.0\linewidth]{pics/timeline.png} \begin{itemize} \item View: start-date only, spanning and search [dev-branch] \item Manipulate: Edit, Drag and Expand [dev-branch] \item Others: Timezone support [dev-branch] \end{itemize} \vspace{0.3cm} $\rightarrow$ For now [dev-branch], supports up to \textbf{micro-seconds} in the database and up to \textbf{milliseconds} in the web interface. \end{frame}