Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.

Slides:



Advertisements
Similar presentations
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Advertisements

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.
System and Network Security Practices COEN 351 E-Commerce Security.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Potions of Protection Server Security. What does that do again? Familiarity Differing levels of protection –Low, does not exist –Medium, No private data.
Lesson 19: Configuring Windows Firewall
IBM Security Network Protection (XGS)
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
Hands-on: Capturing an Image with AccessData FTK Imager
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
19 Jun 2001New Jersey Infragard1 Basic Linux/System Security Bill Stearns, Senior Research Engineer Institute for Security Technology Studies, Investigative.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.
What is FORENSICS? Why do we need Network Forensics?
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Copyright © 2011 EMC Corporation. All Rights Reserved. MODULE – 6 VIRTUALIZED DATA CENTER – DESKTOP AND APPLICATION 1.
Honeypot and Intrusion Detection System
Live Forensics Investigations Computer Forensics 2013.
Guide to Computer Forensics and Investigations Fifth Edition
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Real Time Monitors, Inc. Switch Expert™. 2 Switch Expert™ Overview Switch Expert ™ (SE) currently deployed at 80% percent of the INSIGHT-100.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
COEN 250 Computer Forensics Windows Life Analysis.
Linux Networking and Security
© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College.
Chapter 13 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.. Investigating Computer Intrusions.
Chapter 9Basic Troubleshooting Techniques  9.1General Troubleshooting Techniques 9.1General Troubleshooting Techniques 9.1General Troubleshooting Techniques.
Cracking Techniques Onno W. Purbo
COEN 250 Computer Forensics Windows Life Analysis.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Security Vulnerabilities in A Virtual Environment
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Role Of Network IDS in Network Perimeter Defense.
Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
© 2002, Cisco Systems, Inc. All rights reserved..
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Calvin Wilson Craig Delzangle
Backdoor Attacks.
Techniques, Tools, and Research Issues
Onno W. Purbo Cracking Techniques Onno W. Purbo
© 2002, Cisco Systems, Inc. All rights reserved.
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Chapter 2. Malware Analysis in VMs
Chapter 3. Basic Dynamic Analysis
COEN 252 Computer Forensics
Basic Dynamic Analysis VMs and Sandboxes
Reverse Shell.
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis

December 1, 2015 © Wiley Inc All Rights Reserved 2 Chapter Topics: Purpose of tool analysis Tools & Techniques

Purpose of Tool Analysis Understand the tool used by attacker - what it is doing and how it works Understand impact or damage done to target system Be able to demonstrate later in court how intrusion occurred Enables detailing of damage done to system & connected systems

Tools & Techniques Use various antivirus / spyware detection tools first Strings –Enables extraction & viewing of plain-text strings from within executables, DLL’s, etc Dependency Walker –Shows on which modules the attacker’s code depends –Assists with understanding what the code is doing

Tools & Techniques Monitoring the code when it runs –Create clone system (VMWare, Shadow Drive, restored copy) –Keep in sandbox – isolate on network –Setup monitoring tools Regmon Filemon InCtrl5

Tools & Techniques Install live analysis tools –PsList –Netstat –Tasklist (tlist) –Fport –Whoami Setup network traffic monitoring tool (Wireshark) –Use whatever tools you would use for a live response to analyze the impact & function of the bad code

InCtrl5 Results

FileMon Results

RegMon Results

Forensic Exam of “Compromised Clone” After you’ve run the bad code on test machine, forensically examine it If cloned, examine clone device If VMWare, create full clone of comprised VMWare image Examine the compromised full clone image with forensic tool such as EnCase

EnCase View of VMWare Image

Examine Results of Network Traffic When test host compromised, what network traffic resulted from bad code during and after installation? Wireshark (formerly Ethereal) network monitoring tool

Ethereal View of Bad Code Attempting to Contact an FTP Server

Do External Port Scan & Compare to Netstat Results Root kit can hide open ports and processes from user By comparing netstat results with those on external port scan, you can often detect presence of root kit

Results of “netstat –an”

Results? Netstat showed 9 open TCP ports? SuperScan showed 10 open TCP ports? Why? Root kit is hiding one of the TCP ports and netstat can’t be relied upon to be accurate!

Results of SuperScan

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.