We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJackeline Hobday
Modified about 1 year ago
© 2006 The Trustees of Boston College Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David Bowie This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
© 2006 The Trustees of Boston College Slide 2 Overview »What this talk is about o How to quickly assess what is going on from a technical POV o Drawing conclusions based upon a small sample size o How to use public tools and current data to understand an incident o Windows-centric »What this talk is NOT about o How to obtain evidence o How to preserve evidence o How to conduct an investigation o How to secure a computer used in a crime o How to respond to a subpoena o IANAL
© 2006 The Trustees of Boston College Slide 3 Who am I? »David Bowie o Senior Security Analyst with Boston College CISSP President, Boston Infragard Member’s Alliance o 20yrs with a Tier-1 ISP BBN, GTE-I, Genuity, Level-3 o
© 2006 The Trustees of Boston College Slide 4 Before an incident »Cultivate your (extended) network o IPS/IDS o Snort o Network flows o DNS queries o Network/policy changes o Chatter mail lists & Industry websites »Check your toolkit o Latest tools on CD or USB o Blank CDs & USB for data o Laptop for browsing & IM o Notebook
© 2006 The Trustees of Boston College Slide 5 Basic process »Define a set of sample computers o Triage »Isolate the computers o Controlled test environment »Evaluate the common threads o Apps & activities »Theorize on the likely infection & vector o Occam’s Razor »Validate your hypothesis o Test to prove o Don’t be afraid to be wrong »SET your GOALS o Confirm or eliminate known infections o Define the vector airborne or clickaholic? o Define the threatened population
© 2006 The Trustees of Boston College Slide 6 Triage a’ la M*A*S*H »Focus your efforts on those who will survive… o Those who need care within five minutes are "immediate“ o Those with stabilized injuries, but needing treatment, are "delayed" o Patients whose wounds are beyond the ability to treat and who are likely to die are labeled "expectant" »Applying this to computers… o Is the computer running the required SW? o Does the computer NOT have games/sharing SW? o Is the computer portable?
© 2006 The Trustees of Boston College Slide 7 Clearing the decks for action »Gather your tools »Define a location »Hints: o allows you to change the boot order Usually, but some BIOS work different o Keep a hard-copy notebook – log everything o Open WORD on the target computer for screen captures Remember will capture the active window o Save everything to your USB disk in separate folders Burn to CD later o Dedicate time to the process This is either an incident, or not.
© 2006 The Trustees of Boston College Slide 8 What tools do I use? »Public tools o TCPview o Procexp o Autoruns o MSConfig o Rootkit revealer o WFT o HELIX »Purchased tools o ERD Commander »Where to get tools o Sysinternals Free tools o Winternals Purchased tools o Foundstone Free tools o HELIX Free knoppix with tools o WFT /wft Free tools in a single package
© 2006 The Trustees of Boston College Slide 9 Tools & Toys »Interesting place for new tools and to share tools o »Top free tools o »Knoppix o o Free bootable linux CD by Klaus Knopper
© 2006 The Trustees of Boston College Slide 10 Using the tools »TCPView o Watch for attempts to connect for no reason Trace back to the application or service »Procexp o Look for odd processes or services started remotely Find the names »Autoruns o Look for applications that start automatically Are they suspect?
© 2006 The Trustees of Boston College Slide 11 Sample process of discovery Examine AV logs Login as ADMIN Passwd? ERD tcpviewprocexpautoruns Process name Search the disk Time of infection Processes used DUH VECTOR
© 2006 The Trustees of Boston College Slide 12 Anti-Virus may answer all questions
© 2006 The Trustees of Boston College Slide 13 TCPView – what it looks like (my cpu)
© 2006 The Trustees of Boston College Slide 14 Procexp – what it looks like (my cpu)
© 2006 The Trustees of Boston College Slide 15 Autoruns - what it looks like (my cpu)
© 2006 The Trustees of Boston College Slide 16 Determining the likely infection vector »Look for a file created or used by the malware »Search the disk for files created on the same date as the identified file o Sort by time »Check all the files created immediately preceding the infection file »Pay attention to ‘prefetch’ files that show what commands were executed
© 2006 The Trustees of Boston College Slide 17 TCPView – what it looks like (infected cpu)
© 2006 The Trustees of Boston College Slide 18 Procexp – what it looks like (infected proc)
© 2006 The Trustees of Boston College Slide 19 Search for files (oracle.exe)
© 2006 The Trustees of Boston College Slide 20 Correlate with Event Logs
© 2006 The Trustees of Boston College Slide 21 Search for files (oracle.exe)
© 2006 The Trustees of Boston College Slide 22 Correlate to the event log (system)
© 2006 The Trustees of Boston College Slide 23 Focus on the strange
© 2006 The Trustees of Boston College Slide 24 Google what you don’t understand »Terminal Services supports the automatic redirection of printers that are configured to use local ports (such as LPT1, LPT2, or LPT3) on computers that have open client sessions through the Remote Desktop Protocol (RDP) 5 client. »rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client.
© 2006 The Trustees of Boston College Slide 25 Correlate findings and tune hypothesis »Is the infection airborne? »Is the compromise due to user activity? »Is there a policy problem? »What is the population of at-risk computers? »APPLY WHAT YOU KNOW NOW TO SIMILARLY INFECTED COMPUTERS.
© 2006 The Trustees of Boston College Slide 26 Did you meet your objectives? o Is the infection known, or new? If new – grab a copy and send it to your AV vendor for analysis –Is there a DAT file that needs to be distributed? o Define the vector Airborne or Clickaholic? –Is there a block to be effected? –Is this an education opportunity? o Define the threatened population Desktop and/or infrastructure? –Specific patch level? –Specific application?
© 2006 The Trustees of Boston College Slide 27 Close the incident »Recommendations o Assist in developing the mitigation strategy o Close any holes o Clean infected computers »Redefine normal »Educate and Evaluate
© 2006 The Trustees of Boston College Slide 28
Cancer Education Database (EDB) Version 2.0 Training Presentation Prepared By: Surveillance and Evaluation Unit Center for Center Surveillance and Control.
Logical IT Security By Prashant Mali.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Department of Tourism, Leisure, Hotel and Sport Management - Jason Harding (PHD) Lecture One Information Systems For Service Industries NATHAN CAMPUS.
HIPAA Security Awareness What You Need To Know. Training Overview This course will discuss the following subject areas: How this training relates to you.
Introduction to NT Administration Objectives: How to use DOMAINS Create Users & Set Properties to user accounts Manage User Accounts & Assign Security.
Windows 2008 Active Directory Configuration – Week 4 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
Project Management in Team Software Projects The primary challenge of project management is to achieve all of the goals of the project charter while adhering.
Virginia Department for Aging and Rehabilitative Services.
What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. Operating system goals: Execute.
WIN.MIT.EDU Tips and Tricks Joining machines Roaming Profiles Folder Redirection Desktop Sync Previous Versions Group Policy Management Tools Single Sign-on.
Laptop Orientation 2013 Welcome Please do not open anything yet.
4.1 What is new and what has changed? 4.1. Does H.E.L.P. 4.1 work differently? H.E.L.P. 4.1 looks the same It operates the same The icons are the same.
Time & Labor Management Solutions XactTime Overview.
Computer Forensics. Introduction Topics to be covered –Defining Computer Forensics –Reasons for gathering evidence –Who uses Computer Forensics –Steps.
Help Desk Procedures Topic 1 : What is a Help Desk? (by Greg Webb, Copyright © TAFE NSW) 1. Introduction In this unit you will learn what a help desk.
Oracle Enterprise Manager Grid Control: Day in the Life of An Admin Wilson N. López – Solution Specialist.
Converting DataQuest Reports or UDR’s to Excel or Word.
IBM Tivoli JVM Monitoring – Best Practices Steve Klopfer Technical Specialist, IBM
Setting up File sharing, Personal and Network Printers Brent Murphy Matt Griffin Edwin Edwards Chris Wyatt.
Using H.E.L.P. on a Network Report Solutions Inc. 435 West Broadway Centralia, IL
An Integrated Approach to Computer and Information Literacy Linda Ehley Alverno College Associate Professor CS EDUCAUSE 2003 Copyright – Linda Ehley 2003.
Enabling Secure Internet Access with ISA Server. Enabling Secure Access to Internet Resources What Is Secure Access to Internet Resources? –Users can.
© 2002 Systems Approach LLC 1 Easy Audit Online is changing its name brought to you by Systems Approach LLC Environment, Health and Safety Management Consultants.
Modeling and Assessing Online Discussions for Faculty Learning and Technology Development Janet de Vry and George Watson University of Delaware Barbara.
Jet Enterprise Installation Instructions for Jet Partners V
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Breach vs. Incident – a Guided Discussion Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer.
PrevNext | Slide 1 Michigan Electronic Grants System MEGS https://megs.mde.state.mi.us/megs/ MEGS Application Last Updated: 2/4/2011.
© 2016 SlidePlayer.com Inc. All rights reserved.