© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David.

Slides:



Advertisements
Similar presentations
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Advertisements

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,
15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
February 2006 copyright Michael Welch, Blinn College This work is the intellectual property of the author. Permission is granted for this material to be.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
System Security Scanning and Discovery Chapter 14.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
Maintaining and Updating Windows Server 2008
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
File sharing. Connect the two win 7 systems with LAN card Open the network.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Network security policy: best practices
Center for Instructional Technology James Madison University Strategies for Transitioning to the Age of Digital Media Sarah E. Cheverton James Madison.
Copyright Tim Antonowicz, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Classroom Technologies Re-organization Copyright Kathy Bohnstedt, This work is the intellectual property of the author. Permission is granted for.
Developed by Klaus Knopper Linux Consultant. What is Knoppix?  Unix-like operating system  Run directly from CD or DVD  Bootable from USB flash drive.
Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Stanford’s Patch Management Project   Ced Bennett May 17, 2004 Copyright Cedric Bennett This work is the intellectual property of the author. Permission.
Herding CATS: the Community of Academic Technology Staff Lou Zweier, Director CSU Center for Distributed Learning The California State University NLII,
Sharing Information and Controlling Content: Continuing Challenges for Higher Education Susanna Frederick Fischer Assistant Professor Columbus School of.
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
1 Managing Printers (Week 12, Monday 3/26/2007) © Abdou Illia, Spring 2007.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Copyright Copyright University of Washington This work is the intellectual property of the author. Permission is granted for this material to be.
WINDOWS XP PROFESSIONAL AUTOMATING THE WINDOWS XP INSTALLATION Bilal Munir Mughal Chapter-2 1.
George Mason University Assessing Technology Support: Using Portfolios to Set Goals and Measure Progress Anne Agee, Star Muir, Walt Sevon Information Technology.
COEN 250 Computer Forensics Windows Life Analysis.
Lesson 12: Configuring Remote Management
Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.
1 Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Copyright James Kulich This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
By the end of this lesson you will be able to explain: 1. Identify the support categories for reported computer problems 2. Use Remote Assistance to connect.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Maintaining and Updating Windows Server 2008 Lesson 8.
Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.
Presented by Dave Mawdsley, DACS Member, Linux SIG Member
VMware ESX and ESXi Module 3.
Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.
Project for OnLine Instructional Support (POLIS)
myIS.neu.edu – presentation screen shots accompany:
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David Bowie This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

© 2006 The Trustees of Boston College   Slide 2 Overview »What this talk is about o How to quickly assess what is going on from a technical POV o Drawing conclusions based upon a small sample size o How to use public tools and current data to understand an incident o Windows-centric »What this talk is NOT about o How to obtain evidence o How to preserve evidence o How to conduct an investigation o How to secure a computer used in a crime o How to respond to a subpoena o IANAL

© 2006 The Trustees of Boston College   Slide 3 Who am I? »David Bowie o Senior Security Analyst with Boston College  CISSP  President, Boston Infragard Member’s Alliance o 20yrs with a Tier-1 ISP  BBN, GTE-I, Genuity, Level-3 o

© 2006 The Trustees of Boston College   Slide 4 Before an incident »Cultivate your (extended) network o IPS/IDS o Snort o Network flows o DNS queries o Network/policy changes o Chatter  mail lists & Industry websites »Check your toolkit o Latest tools on CD or USB o Blank CDs & USB for data o Laptop for browsing & IM o Notebook

© 2006 The Trustees of Boston College   Slide 5 Basic process »Define a set of sample computers o Triage »Isolate the computers o Controlled test environment »Evaluate the common threads o Apps & activities »Theorize on the likely infection & vector o Occam’s Razor »Validate your hypothesis o Test to prove o Don’t be afraid to be wrong »SET your GOALS o Confirm or eliminate known infections o Define the vector  airborne or clickaholic? o Define the threatened population

© 2006 The Trustees of Boston College   Slide 6 Triage a’ la M*A*S*H »Focus your efforts on those who will survive… o Those who need care within five minutes are "immediate“ o Those with stabilized injuries, but needing treatment, are "delayed" o Patients whose wounds are beyond the ability to treat and who are likely to die are labeled "expectant" »Applying this to computers… o Is the computer running the required SW? o Does the computer NOT have games/sharing SW? o Is the computer portable?

© 2006 The Trustees of Boston College   Slide 7 Clearing the decks for action »Gather your tools »Define a location »Hints: o allows you to change the boot order  Usually, but some BIOS work different o Keep a hard-copy notebook – log everything o Open WORD on the target computer for screen captures  Remember will capture the active window o Save everything to your USB disk in separate folders  Burn to CD later o Dedicate time to the process  This is either an incident, or not.

© 2006 The Trustees of Boston College   Slide 8 What tools do I use? »Public tools o TCPview o Procexp o Autoruns o MSConfig o Rootkit revealer o WFT o HELIX »Purchased tools o ERD Commander »Where to get tools o Sysinternals   Free tools o Winternals   Purchased tools o Foundstone   Free tools o HELIX   Free knoppix with tools o WFT  /wft  Free tools in a single package

© 2006 The Trustees of Boston College   Slide 9 Tools & Toys »Interesting place for new tools and to share tools o »Top free tools o »Knoppix o o Free bootable linux CD by Klaus Knopper

© 2006 The Trustees of Boston College   Slide 10 Using the tools »TCPView o Watch for attempts to connect for no reason  Trace back to the application or service »Procexp o Look for odd processes or services started remotely  Find the names »Autoruns o Look for applications that start automatically  Are they suspect?

© 2006 The Trustees of Boston College   Slide 11 Sample process of discovery Examine AV logs Login as ADMIN Passwd? ERD tcpviewprocexpautoruns Process name Search the disk Time of infection Processes used DUH VECTOR

© 2006 The Trustees of Boston College   Slide 12 Anti-Virus may answer all questions

© 2006 The Trustees of Boston College   Slide 13 TCPView – what it looks like (my cpu)

© 2006 The Trustees of Boston College   Slide 14 Procexp – what it looks like (my cpu)

© 2006 The Trustees of Boston College   Slide 15 Autoruns - what it looks like (my cpu)

© 2006 The Trustees of Boston College   Slide 16 Determining the likely infection vector »Look for a file created or used by the malware »Search the disk for files created on the same date as the identified file o Sort by time »Check all the files created immediately preceding the infection file »Pay attention to ‘prefetch’ files that show what commands were executed

© 2006 The Trustees of Boston College   Slide 17 TCPView – what it looks like (infected cpu)

© 2006 The Trustees of Boston College   Slide 18 Procexp – what it looks like (infected proc)

© 2006 The Trustees of Boston College   Slide 19 Search for files (oracle.exe)

© 2006 The Trustees of Boston College   Slide 20 Correlate with Event Logs

© 2006 The Trustees of Boston College   Slide 21 Search for files (oracle.exe)

© 2006 The Trustees of Boston College   Slide 22 Correlate to the event log (system)

© 2006 The Trustees of Boston College   Slide 23 Focus on the strange

© 2006 The Trustees of Boston College   Slide 24 Google what you don’t understand »Terminal Services supports the automatic redirection of printers that are configured to use local ports (such as LPT1, LPT2, or LPT3) on computers that have open client sessions through the Remote Desktop Protocol (RDP) 5 client. »rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client.

© 2006 The Trustees of Boston College   Slide 25 Correlate findings and tune hypothesis »Is the infection airborne? »Is the compromise due to user activity? »Is there a policy problem? »What is the population of at-risk computers? »APPLY WHAT YOU KNOW NOW TO SIMILARLY INFECTED COMPUTERS.

© 2006 The Trustees of Boston College   Slide 26 Did you meet your objectives? o Is the infection known, or new?  If new – grab a copy and send it to your AV vendor for analysis –Is there a DAT file that needs to be distributed? o Define the vector  Airborne or Clickaholic? –Is there a block to be effected? –Is this an education opportunity? o Define the threatened population  Desktop and/or infrastructure? –Specific patch level? –Specific application?

© 2006 The Trustees of Boston College   Slide 27 Close the incident »Recommendations o Assist in developing the mitigation strategy o Close any holes o Clean infected computers »Redefine normal »Educate and Evaluate

© 2006 The Trustees of Boston College   Slide 28

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.