Presentation is loading. Please wait.

Presentation is loading. Please wait.

Responder Field Edition & Pro

Published byJulianna Wheeler Modified over 6 years ago

Similar presentations

Presentation on theme: "Responder Field Edition & Pro"— Presentation transcript:

1 Responder Field Edition & Pro
Memory Forensics A How To Guide For Responder Field Edition & Pro Prepare For Investigation Search & Analyze Report Findings

2 Preparation Forensic Analysis Where To Start
Begin by creating a list of search terms that are relevant to your investigation. Prioritize the terms based on importance. Create a list of things you know that are involved in the investigation: Names of people Office applications Domain names Encryption chat Project names addresses Filenames Phone numbers Websites Credit card numbers This text file can be used to automate locating items in memory:

3 Approach For Investigating A Particular Application
Forensic Analysis Preparation (cont.) Considerations Try to find objects and artifacts that can tell you: Who has logged into the computer? When did things happen? What processes are running? What applications are installed? What file types of files are found? What are the capabilities of the installed programs? Approach For Investigating A Particular Application Conduct background research: e.g., Skype: Google: “Skype” What is it? How is it used? Why is the suspect using it? Is there volatile data in memory that might not be available by performing disk based forensics? Are there recoverable passwords?

4 Begin Investigation Forensic Analysis Case Creation
A case must be created for each memory image you need to investigate. Begin by creating a new case as demonstrated below. Import a previously acquired memory image. Memory images may be analyzed that were acquired with third party tools as well as HBGary’s Fast Dump Pro (FDPro) tool. It is recommended to import the system swap file whenever possible. This can only be done when an acquisition has been completed using FDPro with the appropriate options.

5 Investigating Webmail
Forensic Analysis Investigating Webmail Web Browser Artifacts Begin by searching the internet history contained in the memory image. Look for URLs that are associated with webmail services such as yahoo, gmail, hushmail, or less common services. The graphic below demonstrates the manual browsing of URLs. The following items should be noted: -Web sites visited -Files downloaded -Memory offsets Identify network connections and externally routable IP addresses. Note the process associated with the connection. Externally attainable intelligence can be gathered on the IP address such as domain name resolution and registration information.

6 Investigating Webmail (cont.)
Forensic Analysis Investigating Webmail (cont.) Searching Memory The entire memory image can be searched for ASCII and Unicode formatted strings. This can be done by double-clicking the memory image icon as demonstrated below. Then use the binoculars icon to perform the search. WebMail Search Terms Search the memory image for strings commonly associated with activity. Example search strings: @gmail.com @hotmail.com @yahoo.com @hushmail.com Attachment &passwd= &login=

7 Skype Memory Artifacts
Forensic Analysis Investigating Skype Skype Memory Artifacts Verify Skype is running via the “Process” list: Inspect the “Open Files” list Sort by name Locate Skype Identify the Windows username and the Skype username: C:\Documents and Settings\username\Application Data\Skype\skype username.

8 Locate Unencrypted Chat
Forensic Analysis Investigating Skype (cont.) Locate Unencrypted Chat Skype uses the # and $ sign to denote chat conversations. Search for the Skype username with a # and or $ sign preceding the name. Make sure to search for ASCII and Unicode strings. Make sure to search for ASCII and Unicode text strings: Example chat snippet:

9 Plugin Support Forensic Analysis Background
Responder FE supports plugins which extend the product’s capabilities. The plugins are written by HBGary engineers and customers are free to download and use them. First download the plugin of interest to a location accessible by Responder. Then select “Plugin” from the main menu and then “Compile and Load…” After the plugin has been compiled and loaded it will accessible via the “Toolbox” menu. Select the plugin by cliking on the link. Different plugins will have next steps in order to complete the analysis.

10 Plugin Support Forensic Analysis Background
Responder FE supports plugins which extend the product’s capabilities. The plugins are written by HBGary engineers and customers are free to download and use them. First download the plugin of interest to a location accessible by Responder. Then select “Plugin” from the main menu and then “Compile and Load…” After the plugin has been compiled and loaded it will accessible via the “Toolbox” menu. Select the plugin by cliking on the link. Different plugins will have next steps in order to complete the analysis.

11 Plugin Support (Cont.) Forensic Analysis Image Extraction
The ImageExtractorPlugin.dll will attempt to carve image fragments out of a memory snapshot. Depending on the size of the memory image this can a significant amount of time. Once completed the image fragments will be placed in a folder which Responder will identify to the analyst. Document Extraction

12 Report Generation Forensic Analysis Reporting Steps
Evidentiary data should be added to the report throughout the investigation. This can be done by right-clicking on items and selecting “Send to report”. Items can also be added to the report by creating bookmarks throughout the memory image. This is done by right-clicking at the location of interest within the memory view as shown below.

13 Report Generation (Cont.)
Forensic Analysis Report Generation (Cont.) Bookmarks can be edited within the “Report” tab. This can be done by right-clicking on the report item and selecting “Edit Bookmark.” Final Report The final report can be generated after all relevant items have been added to the report. This is done by selecting the “Toolbox” on the left side of the GUI and selecting “RTF Report.”

Download ppt "Responder Field Edition & Pro"

Similar presentations

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.
CREATING AND SENDING AN E-MAIL Kamloops Adult Learners Society Copyright Del Turner, 2007.

CREATING AND SENDING AN Kamloops Adult Learners Society Copyright Del Turner, 2007.
NDU Software Upgrade Software upgrades for the NDU are accomplished through a network connection. Software upgrades for the NDU are accomplished through.

NDU Software Upgrade Software upgrades for the NDU are accomplished through a network connection. Software upgrades for the NDU are accomplished through.
For Details Visit : or For any Help Contact the Librarian EBSCOhost 2.0.

For Details Visit : or For any Help Contact the Librarian EBSCOhost 2.0.
Presented by Office of Distance Education of Learning Technologies.

Presented by Office of Distance Education of Learning Technologies.
What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.

What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.
Computer & Network Forensics

Computer & Network Forensics
The Internet 8th Edition Tutorial 1 Browser Basics.

The Internet 8th Edition Tutorial 1 Browser Basics.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Google Account Basics: Getting Started with free Google applications.

Google Account Basics: Getting Started with free Google applications.
New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: www.scusd.edu/website-training-teachers For more information.

New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: For more information.
ADVANCED CONCEPTS IN GOOGLE CALENDAR Advanced Session By Information Technology Services itservices.uncc.edu.

ADVANCED CONCEPTS IN GOOGLE CALENDAR Advanced Session By Information Technology Services itservices.uncc.edu.
The Internet & Web Browsers Business Webpage Design Kelly Seale.

The Internet & Web Browsers Business Webpage Design Kelly Seale.
How to create a website for free Panagiotis Kafkarkou.

How to create a website for free Panagiotis Kafkarkou.
Web Browser: Netscape Navigator and Internet Explorer By Bhupendra Ratha, Lecturer School of Library and Information Science Devi Ahilya University, Indore.

Web Browser: Netscape Navigator and Internet Explorer By Bhupendra Ratha, Lecturer School of Library and Information Science Devi Ahilya University, Indore.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Internet. Internet is Is a Global network Computers connected together all over that world. Grew out of American military.

Internet. Internet is Is a Global network Computers connected together all over that world. Grew out of American military.
USING REFWORKS Fall 2008. What is RefWorks? A web-based bibliographic and database manager Creighton University faculty, students, and staff have access.

USING REFWORKS Fall What is RefWorks? A web-based bibliographic and database manager Creighton University faculty, students, and staff have access.
JMU Outlook, Messenger, and Skydrive An easier way to upload and store files to share.

JMU Outlook, Messenger, and Skydrive An easier way to upload and store files to share.
Welcome This presentation explains what you need to know and do to prepare for the Oracle Academy Oracle Database Design and SQL class.

Welcome This presentation explains what you need to know and do to prepare for the Oracle Academy Oracle Database Design and SQL class.

Similar presentations

Ads by Google