SAP (Anti-)Forensics: Detecting White-Collar Cyber-Crime

The SAP system is more and more in the spotlight, attackers start to understand the value of these kinds of systems, and we already see that “SAP” is a part of the attacker arsenal. Almost inevitably this leads to being mandated to perform forensic investigation over the SAP system… and what most people can imagine, it is a challenging activity!

With more than 19 different data sources, located in different places (database, OS) with different formats (table, text file, proprietary format file) you must be prepared to. This is why we decided to write and give a documentation about it, as exhaustively as possible, including explanation of all data sources, specificity, what to look for, limitations but also possible anti-forensic techniques that investigators must be informed about.

This talk focuses on the most important part of the whitepaper, try to provide an easy as possible introduction to SAP forensic as well as demonstrate few anti-forensic techniques and protection about them.

Opening part. After a quick “whoami” and introduction of what is SAP system and what could go wrong if SAP system is breached, we will focus on SAP Forensic specification.

State-of-the-art. We will describe what previous research exists on SAP Forensics trying to highlight that there is no recent information about it.

White paper. We will quickly introduce the attached whitepaper to this talk. Where all data sources are much deeper explained with examples. Also we will explain that we tried to have the most exhaustive documentation as possible at this time.

SAP Data sources. We dedicate this part to explain what we call “data source” in SAP environment, what type of format it could take and most important where to find them in SAP System. For that we must go deeper in SAP architecture and explain what are Netweaver ABAP, Netweaver JAVA, S/4 HANA, SAP Agents and how everything could be linked during forensic analysis.

Focus on important data sources. We can’t go on all data sources in one talk. This is why we select few of them that we consider critical to understand : because some of them are always enabled and central, some come from targeted services by attackers and others could be related to post-exploitation purposes. This list includes : System Trace, Developer Traces, Gateway logs, Webdispatcher logs, Table Change Logging, Users and authorization traces and JAVA Log Viewer. For each, we will describe it, provide configuration parameters, limitations, what to look for as a forensic investigator and which technique you should know about anti-forensic. This last part includes vulnerabilities we found or configuration issues we spotted.

Tools. We will introduce several little tools we created to help during forensic analysis like collecting all logs and traces of a SAP System on Unix or Windows, or to perform automatic checks on specific Gateway and ICM logs.

Closing part. Finally we will conclude with global recommendation regarding SAP Forensic and log management, thanking, questions and reminder for the charity 10k run as usual.

About the Speaker