Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.

Slides:



Advertisements
Similar presentations
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Advertisements

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Network Attacks Mark Shtern.
COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
Hands-on: Capturing an Image with AccessData FTK Imager
Advanced Persistent Threats CS461/ECE422 Spring 2012.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
How to discover ephemeral evidence with Live RAM analysis.
Guide to Computer Forensics and Investigations Fourth Edition
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.
Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
How to make your investigation more complete in less time.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Live Forensics Investigations Computer Forensics 2013.
Rootkits in Windows XP  What they are and how they work.
Copyright Security-Assessment.com 2006 Defeating Live Forensics in the Windows Kernel Presented by Darren Bilby AUSCERT 2006.
CARNIVORE And Other Computer Spy Programs. What is Carnivore? Carnivore helps the FBI conduct ‘wiretaps’ on Internet connections. Carnivore is a computer-based.
--Harish Reddy Vemula Distributed Denial of Service.
COEN 250 Computer Forensics Windows Life Analysis.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
1 Outspect: Unified Memory Forensic Toolset for Virtual Machines AVTokyo, 31-10/2009 Nguyen Anh Quynh, Kuniyasu Suzaki, Ruo Ando.
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Remote Forensic Tools --- PDIR and EEE Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey, Aaron Stanley Source : Digital.
Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 © DigitalDefence, Inc (
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
COEN 250 Computer Forensics Windows Life Analysis.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders.
Samantha. What is it? –It is a Wi-Fi interface for the Lego Mindstorms –It replaces the Bluetooth connection for running matches It is mostly for running.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
COEN 250 Computer Forensics Unix System Life Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.
A.Abhari CPS1251 Topic 1: Introduction to Computers Computer Hardware Computer components Connecting Computers Computer Software Operating System (OS)
Chapter 7 Live Data Collection Spring Incident Response & Computer Forensics.
“Candidates were not advantaged by defining every type of operating system provided as examples in the explanatory notes of the standard. Candidates who.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
By Matt Jennings & David Spano.  History of Nmap  What is Nmap  How Nmap works  The goal of Nmap  What is Zenmap  Advantages of Zenmap  How to.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Data Acquisition Chao-Hsien Chu, Ph.D.
ETHICAL HACKING WHAT EXACTLY IS ETHICAL HACKING ? By : Bijay Acharya
SRA Memory Grabber Product Description.
Chapter 3 First Response.
Common Operating System Exploits
Chapter 3. Basic Dynamic Analysis
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
Virtualization Techniques
COEN 252 Computer Forensics
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques

Chapter Topics: Prepare a toolkit to acquire RAM from a live system Identify the pros and cons of performing a live analysis

Finding Evidence in Memory Hackers attempt to hide evidence of their activities The traditional focus of of LE forensics is the hard drive of the victim Hackers have designed their toolsets around this philosophy by using code that will only execute in RAM –DLL injections –Hooks

IR Considerations Pulling the plug will remove invaluable data from RAM Keep interaction with the target to a bare minimum Bring your own trusted tools! Think before you act…then think again Document everything

Creating a Live-Analysis Toolkit Think about the reason for performing every action Use only trusted and validated analysis tools Request intimate details about target system –OS? –Architecture? (32 vs 64 bit?) Assume you only have but one shot to capture volatile data correctly

RAM Acquisition Tools DumpIt –Creates binary dump –Supports 32/64-bit –CLI WinEN –Creates EnCase evidence file –Supports 32/64-bit –CLI FTK Imager Lite –Creates binary dump –Supports 32/64-bit –GUI-based

RAM Analysis Tools Volatility 2.0 –Open source RAM analysis tool –Active network connections –Running processes –Loaded DLLs Memoryze Consider mounted encrypted volumes

Monitoring Communications Network Sniffer –Analyze which IP’s are engaged with victim systems –Which ports are being used –Network packet payload

Monitoring Communications Network Port Scanner –Analyze which ports are open on the network –Determine what services are legitimate Open Source Tools –Nmap

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.