We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJackeline Hobday
Modified about 1 year ago
© 2006 The Trustees of Boston College Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David Bowie 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
© 2006 The Trustees of Boston College Slide 2 Overview »What this talk is about o How to quickly assess what is going on from a technical POV o Drawing conclusions based upon a small sample size o How to use public tools and current data to understand an incident o Windows-centric »What this talk is NOT about o How to obtain evidence o How to preserve evidence o How to conduct an investigation o How to secure a computer used in a crime o How to respond to a subpoena o IANAL
© 2006 The Trustees of Boston College Slide 3 Who am I? »David Bowie o Senior Security Analyst with Boston College CISSP President, Boston Infragard Member’s Alliance o 20yrs with a Tier-1 ISP BBN, GTE-I, Genuity, Level-3 o firstname.lastname@example.org
© 2006 The Trustees of Boston College Slide 4 Before an incident »Cultivate your (extended) network o IPS/IDS o Snort o Network flows o DNS queries o Network/policy changes o Chatter mail lists & Industry websites »Check your toolkit o Latest tools on CD or USB o Blank CDs & USB for data o Laptop for browsing & IM o Notebook
© 2006 The Trustees of Boston College Slide 5 Basic process »Define a set of sample computers o Triage »Isolate the computers o Controlled test environment »Evaluate the common threads o Apps & activities »Theorize on the likely infection & vector o Occam’s Razor »Validate your hypothesis o Test to prove o Don’t be afraid to be wrong »SET your GOALS o Confirm or eliminate known infections o Define the vector airborne or clickaholic? o Define the threatened population
© 2006 The Trustees of Boston College Slide 6 Triage a’ la M*A*S*H »Focus your efforts on those who will survive… o Those who need care within five minutes are "immediate“ o Those with stabilized injuries, but needing treatment, are "delayed" o Patients whose wounds are beyond the ability to treat and who are likely to die are labeled "expectant" »Applying this to computers… o Is the computer running the required SW? o Does the computer NOT have games/sharing SW? o Is the computer portable?
© 2006 The Trustees of Boston College Slide 7 Clearing the decks for action »Gather your tools »Define a location »Hints: o allows you to change the boot order Usually, but some BIOS work different o Keep a hard-copy notebook – log everything o Open WORD on the target computer for screen captures Remember will capture the active window o Save everything to your USB disk in separate folders Burn to CD later o Dedicate time to the process This is either an incident, or not.
© 2006 The Trustees of Boston College Slide 8 What tools do I use? »Public tools o TCPview o Procexp o Autoruns o MSConfig o Rootkit revealer o WFT o HELIX »Purchased tools o ERD Commander »Where to get tools o Sysinternals www.sysinternals.com Free tools o Winternals www.winternals.com Purchased tools o Foundstone www.foundstone.com Free tools o HELIX www.e-fense.com/helix Free knoppix with tools o WFT www.foolmoon.net/security /wft Free tools in a single package
© 2006 The Trustees of Boston College Slide 9 Tools & Toys »Interesting place for new tools and to share tools o www.opensourceforensics.org/tools/windows.html »Top free tools o www.insecure.org/tools.html »Knoppix o www.knoppix.net o Free bootable linux CD by Klaus Knopper
© 2006 The Trustees of Boston College Slide 10 Using the tools »TCPView o Watch for attempts to connect for no reason Trace back to the application or service »Procexp o Look for odd processes or services started remotely Find the names »Autoruns o Look for applications that start automatically Are they suspect?
© 2006 The Trustees of Boston College Slide 11 Sample process of discovery Examine AV logs Login as ADMIN Passwd? ERD tcpviewprocexpautoruns Process name Search the disk Time of infection Processes used DUH VECTOR
© 2006 The Trustees of Boston College Slide 12 Anti-Virus may answer all questions
© 2006 The Trustees of Boston College Slide 13 TCPView – what it looks like (my cpu)
© 2006 The Trustees of Boston College Slide 14 Procexp – what it looks like (my cpu)
© 2006 The Trustees of Boston College Slide 15 Autoruns - what it looks like (my cpu)
© 2006 The Trustees of Boston College Slide 16 Determining the likely infection vector »Look for a file created or used by the malware »Search the disk for files created on the same date as the identified file o Sort by time »Check all the files created immediately preceding the infection file »Pay attention to ‘prefetch’ files that show what commands were executed
© 2006 The Trustees of Boston College Slide 17 TCPView – what it looks like (infected cpu)
© 2006 The Trustees of Boston College Slide 18 Procexp – what it looks like (infected proc)
© 2006 The Trustees of Boston College Slide 19 Search for files (oracle.exe)
© 2006 The Trustees of Boston College Slide 20 Correlate with Event Logs
© 2006 The Trustees of Boston College Slide 21 Search for files (oracle.exe)
© 2006 The Trustees of Boston College Slide 22 Correlate to the event log (system)
© 2006 The Trustees of Boston College Slide 23 Focus on the strange
© 2006 The Trustees of Boston College Slide 24 Google what you don’t understand »Terminal Services supports the automatic redirection of printers that are configured to use local ports (such as LPT1, LPT2, or LPT3) on computers that have open client sessions through the Remote Desktop Protocol (RDP) 5 client. »rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client.
© 2006 The Trustees of Boston College Slide 25 Correlate findings and tune hypothesis »Is the infection airborne? »Is the compromise due to user activity? »Is there a policy problem? »What is the population of at-risk computers? »APPLY WHAT YOU KNOW NOW TO SIMILARLY INFECTED COMPUTERS.
© 2006 The Trustees of Boston College Slide 26 Did you meet your objectives? o Is the infection known, or new? If new – grab a copy and send it to your AV vendor for analysis –Is there a DAT file that needs to be distributed? o Define the vector Airborne or Clickaholic? –Is there a block to be effected? –Is this an education opportunity? o Define the threatened population Desktop and/or infrastructure? –Specific patch level? –Specific application?
© 2006 The Trustees of Boston College Slide 27 Close the incident »Recommendations o Assist in developing the mitigation strategy o Close any holes o Clean infected computers »Redefine normal »Educate and Evaluate
© 2006 The Trustees of Boston College Slide 28 David.Bowie@bc.edu
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.
So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina.
Copyright James Kulich This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Sharing Information and Controlling Content: Continuing Challenges for Higher Education Susanna Frederick Fischer Assistant Professor Columbus School of.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Developed by Klaus Knopper Linux Consultant. What is Knoppix? Unix-like operating system Run directly from CD or DVD Bootable from USB flash drive.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Copyright Tim Antonowicz, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Classroom Technologies Re-organization Copyright Kathy Bohnstedt, This work is the intellectual property of the author. Permission is granted for.
Stanford’s Patch Management Project Ced Bennett May 17, 2004 Copyright Cedric Bennett This work is the intellectual property of the author. Permission.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
By the end of this lesson you will be able to explain: 1. Identify the support categories for reported computer problems 2. Use Remote Assistance to connect.
Maintaining and Updating Windows Server 2008 Lesson 8.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
COEN 250 Computer Forensics Windows Life Analysis.
Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
1 Managing Printers (Week 12, Monday 3/26/2007) © Abdou Illia, Spring 2007.
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
The Power of the Core Service Catalog Michele Morrison and Brian Hosier EDUCAUSE – Wednesday, October 19, 2005 Copyright Michele Morrison This work.
File sharing. Connect the two win 7 systems with LAN card Open the network.
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
February 2006 copyright Michael Welch, Blinn College This work is the intellectual property of the author. Permission is granted for this material to be.
Herding CATS: the Community of Academic Technology Staff Lou Zweier, Director CSU Center for Distributed Learning The California State University NLII,
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
George Mason University Assessing Technology Support: Using Portfolios to Set Goals and Measure Progress Anne Agee, Star Muir, Walt Sevon Information Technology.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.
How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.
Chief Information Officer Effectiveness in Higher Education Wayne Brown, Ph.D. Copyright Wayne Brown This work is the intellectual property of the.
Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.
System Security Scanning and Discovery Chapter 14.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Lesson 12: Configuring Remote Management MOAC : Configuring Windows 8.1.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals
© 2017 SlidePlayer.com Inc. All rights reserved.