Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David.

Published byJackeline Hobday Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David."— Presentation transcript:

1 © 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David Bowie 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 © 2006 The Trustees of Boston College   Slide 2 Overview »What this talk is about o How to quickly assess what is going on from a technical POV o Drawing conclusions based upon a small sample size o How to use public tools and current data to understand an incident o Windows-centric »What this talk is NOT about o How to obtain evidence o How to preserve evidence o How to conduct an investigation o How to secure a computer used in a crime o How to respond to a subpoena o IANAL

3 © 2006 The Trustees of Boston College   Slide 3 Who am I? »David Bowie o Senior Security Analyst with Boston College  CISSP  President, Boston Infragard Member’s Alliance o 20yrs with a Tier-1 ISP  BBN, GTE-I, Genuity, Level-3 o david.bowie@bc.edu

4 © 2006 The Trustees of Boston College   Slide 4 Before an incident »Cultivate your (extended) network o IPS/IDS o Snort o Network flows o DNS queries o Network/policy changes o Chatter  mail lists & Industry websites »Check your toolkit o Latest tools on CD or USB o Blank CDs & USB for data o Laptop for browsing & IM o Notebook

5 © 2006 The Trustees of Boston College   Slide 5 Basic process »Define a set of sample computers o Triage »Isolate the computers o Controlled test environment »Evaluate the common threads o Apps & activities »Theorize on the likely infection & vector o Occam’s Razor »Validate your hypothesis o Test to prove o Don’t be afraid to be wrong »SET your GOALS o Confirm or eliminate known infections o Define the vector  airborne or clickaholic? o Define the threatened population

6 © 2006 The Trustees of Boston College   Slide 6 Triage a’ la M*A*S*H »Focus your efforts on those who will survive… o Those who need care within five minutes are "immediate“ o Those with stabilized injuries, but needing treatment, are "delayed" o Patients whose wounds are beyond the ability to treat and who are likely to die are labeled "expectant" »Applying this to computers… o Is the computer running the required SW? o Does the computer NOT have games/sharing SW? o Is the computer portable?

7 © 2006 The Trustees of Boston College   Slide 7 Clearing the decks for action »Gather your tools »Define a location »Hints: o allows you to change the boot order  Usually, but some BIOS work different o Keep a hard-copy notebook – log everything o Open WORD on the target computer for screen captures  Remember will capture the active window o Save everything to your USB disk in separate folders  Burn to CD later o Dedicate time to the process  This is either an incident, or not.

8 © 2006 The Trustees of Boston College   Slide 8 What tools do I use? »Public tools o TCPview o Procexp o Autoruns o MSConfig o Rootkit revealer o WFT o HELIX »Purchased tools o ERD Commander »Where to get tools o Sysinternals  www.sysinternals.com  Free tools o Winternals  www.winternals.com  Purchased tools o Foundstone  www.foundstone.com  Free tools o HELIX  www.e-fense.com/helix  Free knoppix with tools o WFT  www.foolmoon.net/security /wft  Free tools in a single package

9 © 2006 The Trustees of Boston College   Slide 9 Tools & Toys »Interesting place for new tools and to share tools o www.opensourceforensics.org/tools/windows.html »Top free tools o www.insecure.org/tools.html »Knoppix o www.knoppix.net o Free bootable linux CD by Klaus Knopper

10 © 2006 The Trustees of Boston College   Slide 10 Using the tools »TCPView o Watch for attempts to connect for no reason  Trace back to the application or service »Procexp o Look for odd processes or services started remotely  Find the names »Autoruns o Look for applications that start automatically  Are they suspect?

11 © 2006 The Trustees of Boston College   Slide 11 Sample process of discovery Examine AV logs Login as ADMIN Passwd? ERD tcpviewprocexpautoruns Process name Search the disk Time of infection Processes used DUH VECTOR

12 © 2006 The Trustees of Boston College   Slide 12 Anti-Virus may answer all questions

13 © 2006 The Trustees of Boston College   Slide 13 TCPView – what it looks like (my cpu)

14 © 2006 The Trustees of Boston College   Slide 14 Procexp – what it looks like (my cpu)

15 © 2006 The Trustees of Boston College   Slide 15 Autoruns - what it looks like (my cpu)

16 © 2006 The Trustees of Boston College   Slide 16 Determining the likely infection vector »Look for a file created or used by the malware »Search the disk for files created on the same date as the identified file o Sort by time »Check all the files created immediately preceding the infection file »Pay attention to ‘prefetch’ files that show what commands were executed

17 © 2006 The Trustees of Boston College   Slide 17 TCPView – what it looks like (infected cpu)

18 © 2006 The Trustees of Boston College   Slide 18 Procexp – what it looks like (infected proc)

19 © 2006 The Trustees of Boston College   Slide 19 Search for files (oracle.exe)

20 © 2006 The Trustees of Boston College   Slide 20 Correlate with Event Logs

21 © 2006 The Trustees of Boston College   Slide 21 Search for files (oracle.exe)

22 © 2006 The Trustees of Boston College   Slide 22 Correlate to the event log (system)

23 © 2006 The Trustees of Boston College   Slide 23 Focus on the strange

24 © 2006 The Trustees of Boston College   Slide 24 Google what you don’t understand »Terminal Services supports the automatic redirection of printers that are configured to use local ports (such as LPT1, LPT2, or LPT3) on computers that have open client sessions through the Remote Desktop Protocol (RDP) 5 client. »rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client.

25 © 2006 The Trustees of Boston College   Slide 25 Correlate findings and tune hypothesis »Is the infection airborne? »Is the compromise due to user activity? »Is there a policy problem? »What is the population of at-risk computers? »APPLY WHAT YOU KNOW NOW TO SIMILARLY INFECTED COMPUTERS.

26 © 2006 The Trustees of Boston College   Slide 26 Did you meet your objectives? o Is the infection known, or new?  If new – grab a copy and send it to your AV vendor for analysis –Is there a DAT file that needs to be distributed? o Define the vector  Airborne or Clickaholic? –Is there a block to be effected? –Is this an education opportunity? o Define the threatened population  Desktop and/or infrastructure? –Specific patch level? –Specific application?

27 © 2006 The Trustees of Boston College   Slide 27 Close the incident »Recommendations o Assist in developing the mitigation strategy o Close any holes o Clean infected computers »Redefine normal »Educate and Evaluate

28 © 2006 The Trustees of Boston College   Slide 28 David.Bowie@bc.edu

Download ppt "© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David."

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,

So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
February 2006 copyright Michael Welch, Blinn College This work is the intellectual property of the author. Permission is granted for this material to be.

February 2006 copyright Michael Welch, Blinn College This work is the intellectual property of the author. Permission is granted for this material to be.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.

Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.

Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.

CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.

Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Copyright Anthony K. Holden, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
File sharing. Connect the two win 7 systems with LAN card Open the network.

File sharing. Connect the two win 7 systems with LAN card Open the network.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google