Memory Forensics Training

Memory Forensics Training
HBGary, Inc.

Agenda Introduction Windows memory basics Collecting memory images
Recover and analyze data Identify suspicious activity Generate Report

Introductions Trainers Participants: introduce yourselves to the class
Phil Wallisch Martin Pillion Participants: introduce yourselves to the class Name Experience in Computer Forensics What tools do you use? Why are you here? What would you like to learn in this class? NOTE: All trademarks referenced in this presentation are the property of their respective owners.

What You’ll Learn Windows Memory Basics
Live Memory Collection – good, bad, ugly Best practices for memory preservation Options for preserving memory Preparing media for collection Analysis Of Memory Rebuilding the state of the machine Recovering Data Searching for artifacts Methodology and approach for various investigation situations Generating a Report

Today’s Schedule/Agenda
How Windows Memory Works (basics) How to Prepare a Memory Forensic Toolkit Software Live Memory Collection – good, bad, ugly Best practices for memory preservation Options for preserving memory Preparing media for collection Analysis Of Memory Rebuilding the state of the machine Searching for artifacts Methodology and approach for various investigation situations Final Exam

Disclaimer This 1 day class will not cover: Disk Based Forensics
Reverse Engineering Malware Assembly Language tutorial

Class Structure Lecture for each section - Concepts
Demonstration/Movie Hands-on Lab Exercises Final Exam last 2 hours Focus: Computer Forensic Investigations

Applications we’ll investigate
Microsoft Internet Explorer Microsoft Outlook 2007 True Crypt Skype Yahoo instant messenger Webmail – Gmail Webmail – yahoo DNAScan (Infostealer) –

Goals, Content to Recover
Passwords for webmail – internet explorer Password for Hushmail – internet explorer Outlook IMAP Encryption Software Encrypted Chat sessions – Skype File names transferred through Skype Dates and time stamps of messages sent via Skype Internet Explorer – Browser Helper Objects

Labs Exercises Collect and Preserve Windows Memory
Analyze Memory Images off-line Forensic Investigation Cases 3 Different Scenarios Generate Report

Key The start of a new training section or concept
Movie that illustrates the concept The start of a new training section or concept Class exercise A helpful analysis hint Instructor demo

Class Admin Stuff Receive Install Responder (Should be done)
Responder Installation CD Numbered HASP key Class DVD Install Responder (Should be done) Copy DVD contents to your local hard drive (optional) C:\XXXXXX\

CONCEPT 1: How Windows Memory Works

How Windows Works Because we don’t trust operating system, can’t use it Responder must manually do everything the OS would do Windows is very complex Understatement Thousands of structures Can change between versions Mostly undocumented Hacks on top of short cuts on top of optimizations on top of millions of lines of code....

How Windows Works Who knows? Not many people
Sysinternals – Microsoft bought them... Greg, Martin, and Shawn from HBGary.

Windows Memory Model 0xFFFFFFFF Kernel 0x User 0x

Windows Memory Model 0xFFFFFFFF Kernel Each process has its own 2GB
Truecrypte.exe Winword.exe Skype.exe Solitaire.exe 0x

Windows Memory Model 0xFFFFFFFF Kernel 0xC0000000 /3GB boot switch
User 0x

Windows Architecture Subsystem DLL’s User Mode Kernel Mode Executive
System Support Processes Service Processes User Applications Environment Subsystems Subsystem DLL’s User Mode Kernel Mode Executive Windowing and Graphics Kernel Device Drivers System support services: Logon process – not started by SCM Session manager – not started by services control manager Service Process: task scheduler – spooler servies. Hardware Abstraction Layer Source: Windows Internals , 4th Edition

Windows Architecture System Service Dispatcher NTDLL.DLL Kernel
System Processes Services Applications Environment Subsystems Service control Mgr SvcHost.exe Service control Mgr Windows LSASS WinMgt.exe Task Mgr Winlogon SpoolSv.exe Explorer OS/2 Posix Session manager Services.exe User Applications Windows DLL’s User Mode NTDLL.DLL Kernel Mode System Threads System Service Dispatcher System Service Dispatcher Windows User, GDI I/O MGR File System Cache Object Manager Plug & Play Mgr Security Reference Monitor Virtual Memory Processes & Threads Config Mgr (registry) Local Procedure Call Device & File sys Drivers Graphics Drivers Kernel Hardware Abstraction Layer (HAL)

Address Translation Process
Source: Microsoft Windows Internals, 4th Edition

Virtual to Physical Mappings
Logical Data – better than strings... Virtual Memory Physical Memory

Include Pagefile.sys = More Data Virtual Memory Memory Image Paging File

Process Information EPROCESS Contains KPROCESS Points to PEB
Start and Termination times (we’ll recover these soon) PID and Parent PID Heaps Points to PEB BeingDebugged Path to executable Command Line arguments Loaded Modules (DLLs) Points to ETHREAD, other EPROCESS

Finding the Processes Active Process Links

Process Relationships
Idle System (pid 0) Smss (pid xyz) (ppid 0) Csrss (pid xyz1) (ppid xyz) Winlogon (and so on…) alg Services svchost Lsass Userinit (exits after Explorer starts) Explorer

Process Information Full name and path Command line arguments
Process ID number (PID) Parent PID Current working directory Window Title Handles Files, devices, drivers List of loaded modules DLLs

Process information System processes have defined parents
cmd.exe should not be the parent of lsass.exe Most user processes are started by Explorer.exe It’s suspicious when they’re not Maybe started from a command prompt Orphaned process – no PPID or Parent! Some system processes should never start programs lsass.exe should not start cmd.exe

Process information List of DLLs for each process
Responder gets the name, path, and size of each What is solitaire.exe doing with wsock32.dll? What is iexplore doing with c:\temp\WS2_32.dll? What if there is no path information or memory mapped files? Injected code! Possible Rootkit Where is it on the disk?

Process Information Suspicious program names Parishilton.exe
Suspicious command lines C:\TEMP\solitaire –L –p e cmd.exe c:\windows\system32\cmd.exe

CONCEPT 2: Why Memory Forensics?

Memory Forensics is… Random Access Memory (RAM)
It’s the state of the computer Very far down into the weeds

Strings is not enough… Find all ASCII and Unicode Strings
Old School – since 2002 Answers "what" (sometimes) Don't know when, who, where, or why Only Physical Search – cannot tie the content to a process and then to user....

Strings is not enough… Produces HUGE amounts of data Lots of good info
Sometimes more than 1,000,000 ASCII strings – OMG! No contextual information Lots of good info Mostly on-screen messages Open documents Program names Passwords Network Connection info

Why Memory Forensics? Encryption Keys*
BitLocker, PGP Whole Disk Encryption, etc. What was happening on the system... Running programs, open documents Unpacked contents of packed programs Network connections What was really happening on the system Not the sanitized (lying) version from the OS Hidden programs, rootkits, injected code Destroying the Hacker Defense What was running ten minutes before the knock and talk

Complete Investigation
Why Memory Forensics? A more Complete Investigation

To execute must exist in RAM
Traditional Forensics & Security Software

Why Live Memory Forensics?
Today it’s Easy! Mission-critical systems % availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.

Why Offline Analysis? No more operating system to be fooled
Rootkits and malware “lie” Operating system cannot be trusted! Can’t Use it! Everything is recreated from the bottom up Physical layer Replicates disk forensics approach Can Detect Malware that Anti-Virus cannot Can Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system Proactively

Useful Information in RAM
Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

Bad Guys use Memory Tricks
Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 3 years Metasploit Framework Canvas Core Impact No good software detection mechanism without physical memory preservation and offline analysis Remember: you cannot trust the operating system!

History Of Memory Analysis
Relatively New There are some imagers, but nothing solid for analysis Freeware Scene – started in 2003 DFRWS community, Kornblum, Carvey, others Academic Scene – Jan. 2008 The Princeton Video “frozen memory” Open Source & Academic Projects Perl scripts Hex editors Strings.exe, grep searches, manual carving Volatility framework

Defeat the Trojan Defense
“I didn’t do it, the Trojan horse did!” “the hacker controlling my PC did” Used in the UK Plausible deniability because Law Enforcement didn’t image physical memory Law Enforcement destroyed 4 GB of “evidence” 4GB is equivalent to 1,048,576 pages of paper That's about 2,097 reams of paper Goal: “to prove the negative” “No, your Honor, there was no Trojan or any other software running on the defendant’s machine at the time in question with the capabilities claimed by the defense…”

Live Memory Forensics Risks
RAM Collection software relies on the host OS Can be subverted Some software more invasive than others Usually load about 10 modules from the operating system

Live Memory Forensics Risks
Rootkits User Mode Can modify system commands (netstat, ipconfig) Kernel Mode Can hide and modify low level blocks of memory/disk Can subvert software dumping of RAM That’s why we’re working on ICEDUMP Similar to the Princeton approach ** Countermeasures to kernel-mode rootkits: VMware Snapshot Files: pause the processor Hiberfil.sys: contents of RAM are written to non-volatile storage before the system is powered down.

Counter-Measures Pause the Processor – Virtual Machines
Existing Memory Images (made by Windows) Hibernation Files – file system Crash Dumps – file system

Size of Physical Memory
Hibernation Saves system state to disk for faster resume Compress physical memory and write it to c:\hiberfil.sys Space reserved when hibernation enabled Not cleared, contains disk free space No data if enabled but never used Once used, always some data maintained Compressed Memory Disk Data Size of Physical Memory

Hibernation Not enabled by default* until Windows Vista
Now called Sleep

Hibernation Header Free Pages Page Tables Compressed Data
Wiped upon successful restore Free Pages Page Tables Compressed Data

CONCEPT 3: Memory Collection

Memory Collection Software Memory Imagers Hardware Memory Imagers
FastDump Pro – HBGary WinHex – X-Ways DD derivatives (FAU, DD from Garner, NiGilent32, Helix) Winen – Guidance Software MDD – Mantech Hardware Memory Imagers Firewire “Tribble”, other projects online Princeton Video: freeze the RAM

Memory Collection – Best Practices
Goal: Be “Minimally Invasive” to suspect machine DO NOT acquire RAM to the local system hard drive Invasive – possibly destroy important data Use external thumb drive - Image the RAM to sterile media Freshly wiped drive preferably with all Zero’s. Reformat the drive to NTFS – FAT 32 File system has 2GB file size limitation FDPro cannot split up the file into chunks yet… Generate MD-5 hash at time of collection – save with memory image Used to verify integrity of file

“Smear” Image Software creates a “smear” image
Not a “true” duplicate image This process is not reproducible In order to create a “true” image Hardware is required Virtualization can “pause” the processor Crash Dump Hibernation File (hiberfil.sys)

HBGary FastDump™ Software used to dump physical RAM
Works on Windows Operating Systems Windows 2000 – 2008 Server 32 and 64 Bit PAE and Non-PAE

Fastdump Pro

Memory Collection Video
Collecting the physical memory Movie: FDPro_RAM1.wmv Movie: FDPro_RAM1.wmv

Exercise 1: Memory Collection

Memory Collection Exercise
Location of Fastdump Pro : C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\ Copy FDPro to USB 2.0 Drive Create a Memory Snapshot E:\FDPro.exe RAMdump.bin Fdpro writes the memory snapshot to the location where FDPro was run from unless you specify a separate path. Ex: E:\fdpro X:\Memory.bin Take 10 – 15 minutes

CONCEPT 4: Memory & Pagefile Collection

Virtual to Physical Mapping
Partial Address Translation – No Pagefile.sys Virtual Memory Memory Image

Robust Address Translation = More Data Virtual Memory Memory Image Prototype Paging File

Why Collect Pagefile? More accurate recovery of data
More complete Memory Investigation HBGary Testing: Memory Image – 70,000 URL’s Same Memory with Pagefile.sys – 500,000 URL’s Memory Image – no passwords found Memory Image with Pagefile.sys – Domain Administrator PW

Memory & Pagefile Collection Video
Collect physical memory & pagefile.sys Movie: FDPro_RAM_Pagefile1.wmv

Exercise 2: Memory & Pagefile Collection

Memory & Pagefile Exercise:
Location of Fastdump Pro : C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\ Copy FDPro to USB 2.0 Drive Create a Memory Snapshot with Pagefile.sys E:\fdpro.exe RAMdump_Pagefile.hpak Take 15 – 20 minutes

CONCEPT 5: Memory Collection with Process Probe

Goal of Process Probe GOAL of Process Probe: To force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys and also code that is still contained in the executable on disk but not in use, this code will also be called into RAM prior to acquisition of physical memory.

Why Process Probe? Because Process Probe will often times provide the investigator with a much more accurate and complete picture of the executable code and the data. Process Probe Feature Detail: The process probe feature allows you to control what memory is “paged-in” to RAM from SWAP AND the File System before FDPro performs RAM acquisition. When you use the –probe smart feature FDPro.exe will walk the entire process list and make sure *all* code is called into RAM. The result is that we’re able to recover almost 100% of the user-land process memory by causing these pages to be activated & paged in on the fly. The Probe feature will even force code from the file system into RAM for a specific process. The Process Probe feature can dramatically improve the quality and thoroughness of Live Windows Memory Forensic Investigations and Malware Analysis.

Why Process Probe? When would I use the Process Probe feature?
During any “LIVE” network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role. You’re going to want to get any and all possible information relative to the applications running on the computer that are pertinent to your investigation. Examples of these applications include instant messengers, IP Telephony, internet browsers, malware, encryption applications, a database, media players, and other applications. Examples of data you can get access to is encrypted data, passwords, unencrypted chat sessions, documents, s, internet searches, internet postings, password protected websites, etc.

Process Probe Best Practices
Forensic best practices dictate that an investigator or analyst should always acquire RAM first (and the Pagefile too) without running the Probe Feature. After “freezing the current state” of the RAM the investigator/analyst should run FDPro again, this time using the Probe Feature. Even when grabbing the pagefile, the probe feature can force code from the file system not being used into RAM

Process Probe Best Practices
Example Steps: Arrive at server or workstation suspected in the computer incident or forensic investigation Collect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation then you can go ahead and probe –smart on your very first image to save you time but you should know that this technique will instrument a larger footprint in RAM than only performing a memory acquisition

Memory Collection with Process Probe Video
Collecting physical memory with Process Probe Movie: FDPro_Probe1.wmv

Exercise 3: Memory Collection with Process Probe

Memory Collection with Process Probe Exercise
Location of Fastdump Pro : C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\ Copy FDPro to USB 2.0 Drive Create a Memory Snapshot using the following commands E:\fdpro.exe RAMdump_Process_Probe.bin –probe all E:\fdpro.exe RAMdump_Process_Probe.bin –probe smart E:\fdpro.exe RAMdump_Process_Probe.bin –probe pid #

CONCEPT 6: HBGary Responder™ Overview

Responder Overview Responder Professional Computer Forensics
Live Physical Memory Forensics Runtime & Binary Forensics Computer Forensics Computer Intrusions Rootkit Detection Malware Analysis Computer Forensics Computer Intrusions

HBGary Responder Pro™ Embodies the HBGary IR Methodology
Complements disk forensic investigations Commercial shipping product to analyze RAM images “Windows without Windows” Carves all Windows Memory images for Win2k, XP, 2003, Vista, 2008 Server All service packs 32 & 64 bit

Creating a Project Wizard walks you through project creation
Two basic types Physical Memory Snapshot Live memory analysis (all running processes) Static PE Import *** Not part of Field Edition Binary import and analysis Project details Why you are analyzing this machine Date & Timestamps

Importing a Snapshot File → Import → Physical Memory Snapshot
Select Snapshot File Add Details About the Snapshot Why is it of interest? Select Post-Import Options Extract and Analyze all Suspicious Binaries Generate the Malware Analysis report Same steps when importing a static binary File → Import → Import Executable Binary

The Scanning Process Import Memory Snapshot
Validate the Page Table layout and size Identify PAE/Non PAE Identify OS and Service pack Reconstruct Object Manager Rebuild EPROCESS Blocks Rebuild the VAD Tree Scan for Rootkits Scan for patterns Scan for Digital DNA

CONCEPT 7: Responder User Interface

User Interface: Project Panel
Shows all harvested objects Processes, Modules, Drivers Strings, Symbols Macroscopic view of object data Allows drill-down on most objects Context-sensitive right-click menu Status icons

Responder Object Schema
Project Memory Image Hardware IDT Operating System SSDT Processes Drivers Open Files Network Socket Information Open Registry Analyzed Binary Strings Analyzed Symbols

Project type Top level folders Leaf-node folders – double click these to see details view of the folder Expandable folders – single click these to expand contents of the folder Table – double click this to see contents of table.

UI: Report Panel Provides a repository for documenting your findings
You can edit the description fields in the Report Panel Descriptions are inserted into the final report You can choose which report items will be included in the final report

UI: Report Panel

UI: Detail Panels Provide detailed information about the selected category in the Project Panel Data can be searched Data can be exported to a variety of formats PDF - XLS - CSV HTML - Image - Text RTF Panel contents can be “locked” Additional columns are available (per panel)

UI: Detail Panels Functions  SSDT Strings  IDT Symbols  Processes
Samples  Modules Files  Drivers Registry  Network

Leaf-node folders: double-click these to see the detail panel of the folder

Right click on header to get column chooser

Search the Detail Panel, which filters the panel’s contents to only those entries that match the search criteria

1. Lock the window after filtering
2. Double click the “All Open Registry Keys” folder again. Since the default window (the Registry Panel) is locked, a new (unfiltered) Registry View window is created. You can lock as many as you choose

Context-Sensitive Actions
Every panel has a right-click context menu Menu choices based on selected object(s) Most common options Send to report: creates entry in the Report Pane for the selected item Google™ Text Search: uses Google™ search engine to find Internet references to the selected item Google™ Code Search: uses Google™ search engine to find source code that uses the selected item (typically a string or symbol)

Exercise 4: Import RAM walk thru Interface

User Interface Exercise
Details Take 15 minutes and walk through all data Test the different buttons, right clicks, etc. Instructor will be driving through the UI Please ask questions

Saving Search Hits Export to: Cannot easily add to report.. excel file
Csv, txt, pdf Cannot easily add to report.. This will be fixed soon

Report - Bookmarks Try Right-Click send to Report
If that doesn’t work you might have to export to disk then manually add to report

CONCEPT 8: Baserules.txt

What is BaseRules.txt? Malware identification file
Can Auto-Magically analyze “hits” Sometime’s auto-magic is good sometimes not… Searches for suspicious behaviors Customizable by the end-user Add in Strings & Pattern Searches Flagged binaries can be automatically extracted & disassembled for further diagnosis

Baserules Suspicious Strings API calls Bytes Assembly *Wildcards
Example

Exercise 5: Baserules file

Edit Baserules # General rule description:
# <Type>:<Version>:<Weight>:<Text/Arg>:<Group>:<Description> # <Type> # The rule type # <Version> # Rule version, 1.0 # <Weight> # 0 (benign) to 255 (critical): Severity of a match on this rule # <Text/Arg> # Varies by rule type. Used by the rule to determine a match # Some rule types may have multiple arguments # <Group> # Group for this rule (KERNELMODE, USERMODE, KEYBOARD, ALL, etc) # <Description> # Text description for this rule

Edit Baserules Example – Storm virus which spreads via email
Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13 Known process names to search for FullClip.exe - GreetingCard.exe GreetingPostcard.exe - MoreHere.exe - FlashPostcard.exe Dropper process wincom32.exe

Edit Baserules 2 ###################################
### Blacklisted Modules - Alert ### # ADDED ENTRY – Dropper for Storm Worm SuspiciousModule:1.0:100:wincom32.exe:KERNELMODE:SuspiciousModule – wincom32.exe, Dropper for Storm worm # ADDED ENTRY – Executable for Storm Worm SuspiciousModule:1.0:100:fullclip.exe:USERMODE:SuspiciousModule –fullclip.exe, executable for Storm worm SuspiciousModule:1.0:100:greetingcard.exe:USERMODE:SuspiciousModule – greetingcard.exe, executable for Storm worm

CONCEPT 9: Investigating Applications

Investigating Applications
Goal: identify artifacts that lead you to other pieces of information… Finding bread crumbs Following the bread crumbs…

Try to find objects and artifacts that can tell you: Who, What, Where, When, Why, How *

Approach: Knowledge is helpful… Google: “skype” What is it? How is it used? How does it work? Why is my suspect using it? Is there data in memory that might not be available by performing disk based forensics?

Create a list of things you know… Names involved in the investigation Domain names Project names Filenames Website Applications in question Office Applications? Internet Browser Encryption? Chat

CONCEPT 10: Webmail investigations

Webmail… where do I start?
The browsers… Internet Explorer Firefox Opera

Webmail… where do I start?
Browser Artifacts Web sites visited Files downloaded Dates and timestamps

Webmail… things to consider
Web Server Apps act differently Gmail stores passwords differently than hushmail

Webmail Search Terms @gmail.com @hotmail.com @yahoo.com @hushmail.com
Attachment

Webmail Specific Search Terms
&passwd= &login= Others…

DEMO Webmail Investigations - Gmail

Exercise 6: Webmail Investigation

Web Mail Exercise Intellectual Property Investigation Focus Type
Private Company Data sent Via Steps: Once VMware is configured, and Flypaper is running a. Drag the following files to the VM window - InstDrv.exe - _root_.exe - _root_.sys b. Run _root_.exe c. Look for that process in Task Manager (look at its PID) d. Run InstDrv - load _root_.sys - start _root_.sys e. See that the process has been removed in Task Manager f. Run netstat (what flags?) and see that the port is listening to a “non-existent” PID g. Telnet to that port and verify that it is indeed listening Description Search for indications of files, addresses, and other related info data theft Time 30 minutes

The Scenario Beginning a search based on suspicion
Press release from competitor having similar data Searching for private content WHAT DO WE SEARCH FOR? LETS MAKE A LIST Understanding search hits Process name/module/unidentified Adding webmail data/artifacts to the report

Key Search Concept Link Pieces of Information Together
How can time stamps help us? How can something we already know find something we don’t know?

Search Steps Beginning a search based on suspicion
Press release from competitor having similar data FIRST - Search for content we know We know we are looking for “Pluripotent” Searching for addresses to corroborate suspicion Search terms gmailchat= Understanding search hits Process name/module/unidentified SECOND - Search for content we learn Adding webmail data/artifacts to the report

Web Mail Questions Search for “Pluripotent”, what file do you find?
Where is it located on file system? Who sent this file? What is the address? Who received this file? What is the address? What other important file name is mentioned in the thread? What is the date associated? How else could you find this?

Web Mail Answers Pluripotent.pdf C:\temp\plutipotent.pdf
Lori Hanson, Lance Kline, I5867.doc Fri, July at 3:22pm Make search term from nearby tags Example – “forwarded message”

CONCEPT 10: Skype

Skype – Where do I start? Questions to answer: What is Skype?
secure instant messenger free phone online telephony Why are bad guys using it? anti-forensics secure comm’s What are the disk anti-forensic capabilities and uses of Skype? Why is Skype not liked by IT Security? Encrypted communications…

Investigating Skype Process list - are there chat programs listed there? Name harvesting Look to open files, sort, go to skype Notice C:\Documents and Settings\username\Application Data\Skype\skype username. Take note of 'Username', Take note of 'Skypename' Here we have username john smith but with skype name lance kline May be different identity, may be same identity

Investigating Skype 2 Name search to get other names
- now we search memory to find other names being chatted to - look for something unique, which might only exist once in memory speech, common expressions "wazup" You might try a few search to see which ones give the fewest hits Example: pass = 1,000+ need something more specific

Chat Investigations - Skype
DEMO Chat Investigations - Skype

Exercise 7: Skype Investigation

Skype Chat Exercise Intellectual Property Investigation Focus Type
Private Company Data sent Via Chat Description Search for indications of files, addresses, and other related info data theft Time 30 minutes Name of File StudentForensic1.bin

The Scenario Beginning a search based on suspicion
Press release from competitor having similar data Searching for references to private content WHAT DO WE SEARCH FOR? LETS MAKE A LIST What do people say in conversation? Adding chat data/artifacts to the report

Key Search Concept Link Pieces of Information Together
How can time stamps help us? How can something we already know find something we don’t know?

Search Steps Beginning a search based on something we know to find something we don’t know. FIRST - Search for content we know names? Too many hits? Search for word “research”

Chat Questions Search for “Research”, what email address do you find?
What is his associated name? Could it be real? What is he willing to pay for? What is the name of the document he is looking for? Has this document been read into memory? How do you know? Who else got this file sent to them? How was the file sent?

Chat Answers jsmithers1971@gmail.com John Smith, could be
Research on Advanced Stem Cell I5867.doc Yes. Searching on a term from the document showed it to be in memory Steve Barko Hushmail

Final Exam

Memory Forensics Training

Similar presentations

Presentation on theme: "Memory Forensics Training"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Memory Forensics Training

Similar presentations

Presentation on theme: "Memory Forensics Training"— Presentation transcript:

Similar presentations

About project

Feedback