Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.

Published byAngela Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis

2 December 1, 2015 © Wiley Inc. 2007. All Rights Reserved 2 Chapter Topics: Purpose of tool analysis Tools & Techniques

3 Purpose of Tool Analysis Understand the tool used by attacker - what it is doing and how it works Understand impact or damage done to target system Be able to demonstrate later in court how intrusion occurred Enables detailing of damage done to system & connected systems

4 Tools & Techniques Use various antivirus / spyware detection tools first Strings –Enables extraction & viewing of plain-text strings from within executables, DLL’s, etc Dependency Walker –Shows on which modules the attacker’s code depends –Assists with understanding what the code is doing

5 Tools & Techniques Monitoring the code when it runs –Create clone system (VMWare, Shadow Drive, restored copy) –Keep in sandbox – isolate on network –Setup monitoring tools Regmon Filemon InCtrl5

6 Tools & Techniques Install live analysis tools –PsList –Netstat –Tasklist (tlist) –Fport –Whoami Setup network traffic monitoring tool (Wireshark) –Use whatever tools you would use for a live response to analyze the impact & function of the bad code

7 InCtrl5 Results

8 FileMon Results

9 RegMon Results

10 Forensic Exam of “Compromised Clone” After you’ve run the bad code on test machine, forensically examine it If cloned, examine clone device If VMWare, create full clone of comprised VMWare image Examine the compromised full clone image with forensic tool such as EnCase

11 EnCase View of VMWare Image

12 Examine Results of Network Traffic When test host compromised, what network traffic resulted from bad code during and after installation? Wireshark (formerly Ethereal) network monitoring tool

13 Ethereal View of Bad Code Attempting to Contact an FTP Server

14 Do External Port Scan & Compare to Netstat Results Root kit can hide open ports and processes from user By comparing netstat results with those on external port scan, you can often detect presence of root kit

15 Results of “netstat –an”

16 Results? Netstat showed 9 open TCP ports? SuperScan showed 10 open TCP ports? Why? Root kit is hiding one of the TCP ports and netstat can’t be relied upon to be accurate!

17 Results of SuperScan

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis."

Similar presentations

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Potions of Protection Server Security. What does that do again? Familiarity Differing levels of protection –Low, does not exist –Medium, No private data.

Potions of Protection Server Security. What does that do again? Familiarity Differing levels of protection –Low, does not exist –Medium, No private data.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Similar presentations

Ads by Google