Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.

Published byAlan Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques

2 Chapter Topics: Prepare a toolkit to acquire RAM from a live system Identify the pros and cons of performing a live analysis

3 Finding Evidence in Memory Hackers attempt to hide evidence of their activities The traditional focus of of LE forensics is the hard drive of the victim Hackers have designed their toolsets around this philosophy by using code that will only execute in RAM –DLL injections –Hooks

4 IR Considerations Pulling the plug will remove invaluable data from RAM Keep interaction with the target to a bare minimum Bring your own trusted tools! Think before you act…then think again Document everything

5 Creating a Live-Analysis Toolkit Think about the reason for performing every action Use only trusted and validated analysis tools Request intimate details about target system –OS? –Architecture? (32 vs 64 bit?) Assume you only have but one shot to capture volatile data correctly

6 RAM Acquisition Tools DumpIt –Creates binary dump –Supports 32/64-bit –CLI WinEN –Creates EnCase evidence file –Supports 32/64-bit –CLI FTK Imager Lite –Creates binary dump –Supports 32/64-bit –GUI-based

7 RAM Analysis Tools Volatility 2.0 –Open source RAM analysis tool –Active network connections –Running processes –Loaded DLLs Memoryze Consider mounted encrypted volumes

8 Monitoring Communications Network Sniffer –Analyze which IP’s are engaged with victim systems –Which ports are being used –Network packet payload

9 Monitoring Communications Network Port Scanner –Analyze which ports are open on the network –Determine what services are legitimate Open Source Tools –Nmap

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques."

Similar presentations

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.

Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
How to discover ephemeral evidence with Live RAM analysis.

How to discover ephemeral evidence with Live RAM analysis.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.

Similar presentations

Ads by Google