Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

Slides:



Advertisements
Similar presentations
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
Advertisements

2 © 2004, Cisco Systems, Inc. All rights reserved. IT Essentials I v. 3 Module 4 Operating System Fundamentals.
Wincite Introduces Knowledge Notebooks A new approach to collecting, organizing and distributing internal and external information sources and analysis.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Effective Discovery Techniques In Computer Crime Cases.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Concepts of Database Management Sixth Edition
Source Code Management Or Configuration Management: How I learned to Stop Worrying and Hate My Co-workers Less.
Maintaining and Updating Windows Server 2008
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.
Distributing Drivers on Windows Update
Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project Advanced Tool for Automatic Testing Final Presentation.
242/102/49 0/51/59 181/172/166 Primary colors 248/152/29 PMS 172 PMS 137 PMS 546 PMS /206/ /227/ /129/123 Secondary colors 114/181/204.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Forensic and Investigative Accounting
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.
Denise Luther Senior IT Consultant Practical Technology Enablement with Enterprise Integrator.
CPSC 203 Introduction to Computers T59 & T64 By Jie (Jeff) Gao.
Malware Fighting Spyware, Viruses, and Malware Ch 4.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
© Paradigm Publishing Inc. 9-1 Chapter 9 Database and Information Management.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
© Paradigm Publishing Inc. 9-1 Chapter 9 Database and Information Management.
1 Working with MS SQL Server Textbook Chapter 14.
COEN 250 Computer Forensics Windows Life Analysis.
Windows NTFS Introduction to Operating Systems: Module 15.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
Data Management Console Synonym Editor
Concepts of Database Management Seventh Edition
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Technology in Computer Forensics  Alicia Castro  Thesis Defense  Master of Software Engineering  Department of Computer Science  University of Colorado,
A Short Course on Geant4 Simulation Toolkit How to learn more?
DAY 16: ACCESS CHAPTER 1-2 Rahul Kavi October 8,
COEN 250 Computer Forensics Windows Life Analysis.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Database and Information Management Chapter 9 – Computers: Understanding Technology, 3 rd edition.
Gold – Crystal Reports Introductory Course Cortex User Group Meeting New Orleans – 2011.
Module 13: Monitoring Resources and Performance. Overview Using Task Manager to Monitor System Performance Using Performance and Maintenance Tools to.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Spyware: Prevention vs. Elimination, a comparison in efficiency.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
IST 220 – Intro to Databases Lecture 2 Touring Microsoft Access.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
Public Libraries Survey Data File Overview. What We’ll Talk About PLS: Public Libraries Survey State level data Public library data (Administrative Entities)
Internet Safety Topic 2 Malware Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other dangerous software exists, such.
Geant4 Training 2003 A Short Course on Geant4 Simulation Toolkit How to learn more? The full set of lecture notes of this Geant4.
Maintaining and Updating Windows Server 2008 Lesson 8.
Database (Microsoft Access). Database A database is an organized collection of related data about a specific topic or purpose. Examples of databases include:
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
Objectives Create a folder in Google Drive.
Encase Overview.
Introduction to Web programming
Things To Avoid: 1-Never your password to anyone.
Extract and Correlate Evidences in Computer Forensics
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Extract and Correlate Evidences in Computer Forensics
Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1.
About Us Scanster is one of the leading IT security software company. Our Software's are well integrated system that simplify computer security management.
Presentation transcript:

Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

P A G E 1 Usage Scenarios Intrusion mapping Spyware / Malware file dropping Suspect activity File activity Registry Keys times Web history

P A G E 2 The Common (And Wrong) Way Many investigators do not conduct proper timeline analysis EnCase does not give the user an easy method to accomplish this Within Table View you can only add secondary sort columns These only sort when the first column has identical data NOT a unified linear timeline

P A G E 3 The Built-in Alternative Timeline View gives a decent overview, but cumbersome - not at all user-friendly

P A G E 4 Proper Method : Unified Linear Timeline Considers each date field individually Not locked into sorting a single field Does not base a second sort on the value of the first field Completely linear across all date fields End result is that an entry can be listed multiple times in the timeline, once for each date field

P A G E 5 Hands-On Lab Check your Time Settings Lab Machine TZ Evidence TZ Locate an interesting event Select a date/time range around the event Run Timeline Report EnScript & examine results Use Selected Files to narrow your search if necessary

P A G E 6 Timeline Report Download

P A G E 7 Detecting Timestamp Anomalies MFT stores two sets of dates Standard Information Attribute (EnCase, Windows) File Name Attribute Anti-forensics tools modify timestamps TimeStomp / FileTouch / FileTouchdotNET Popular theories for detection MFT Entry Header Standard Information Attribute File Name Attribute Remainder of Record MFT Entry Record Structure

P A G E 8 Detecting Timestamp Anomalies Popular Theory: TimeStomp uses low precision timestamping Problem: So does just about every major installation routine

P A G E 9 Detecting Timestamp Anomalies Popular Theory: The FileName Attribute times will always be earlier than the Standard Information Attribute times in a normal timestamp Problem: On standard well-used drives, expect up to 50% of entries where the FN timestamp is more recent than the SIA timestamp without any manual alterations

P A G E 10 Detecting Timestamp Anomalies Detection is not reliable through attribute comparison or timestamp precision The only currently reliable method is to identify a known tool on the system

P A G E 11 Virtual Private Computing - MojoPac

Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.