The Value of Physical Memory for Incident Response

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The Value of Physical Memory for Incident Response"

Transcription

1 The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA ManTech Cyber Solutions International, All Rights Reserved.

2 Physical memory refers to the random access memory (RAM) of the computer. RAM can be added or removed from a computer by adding or removing memory chips. Windows computers typically have anywhere from 256 Megabytes of RAM to over 2 Gigabytes. RAM is volatile memory that is lost when a computer is powered down. While the computer operates, RAM stores all the accumulated data for running applications and network communications. The RAM will contain the contents of application windows, keystrokes, and even attachments. There is a wealth of information in RAM that exists only when applications are running. Most of this information cannot easily be obtained from a hard drive. Information that can be obtained from RAM includes: All running processes at the time of the memory snapshot All loaded modules and DLL s (dynamic link libraries) including injected malware All running device drivers, including potential rootkits All open files for each process, including path to file on disk All open registry keys for each process All open network sockets for each process, including IP address and port information that is calculated at runtime, such as packet buffers Decrypted versions of otherwise encrypted data Contents of windows Keystrokes attachments, file transfers, and other secondary data Cryptographic key material Hard drive encryption keys WEP and WPA wireless keys Usernames and passwords For many years, forensic analysts have known that physical memory is valuable. Tools have been developed to forensically image the contents of RAM, similar to the way a hard drive image is taken. But until very recently, nobody has built tools to analyze the contents of these physical memory images. RAM analysis is hard you have to parse undocumented and esoteric data structures which are unique to each operating system version. Every computer program and activity that is represented in the RAM can only be recovered through many layers of analysis. In the past, this had to be done by hand and thus was error prone and did not scale. Challenges to physical memory analysis include: Identification of the operating system, version, and service pack Use of undocumented internal data structures to the operating system Internal data structures may change between versions and service packs of the OS White Paper: The Value of Physical Memory for Incident Response Page 2 of 7

3 Physical memory Pages must be sorted and organized to rebuild the memory of the operating system Many sections of memory are paged out and this must be accounted for To extract an EXE or DLL file from memory it must be reconstructed and fixed up to return it to the portable executable (PE) format Traditional MD5/SHA1 filesystem hashing does not work for in memory files, the hashes will not match These reasons and more are why nobody has built a tool to perform analysis. Not only does a tool need to perform complicated and layered analysis, to be deployable as a product it must be able to analyze all the different versions and service packs of an operating system. This is made more difficult when dealing with closed source operating systems such as Microsoft Windows that are patched on a regular basis. Physical memory forensics can be used for a variety of purposes: Augment disk based forensics Detect which files each process had open at the time of seizure Detect if sensitive or proprietary data was being stolen Detect back door programs, spyware and keyloggers Detect advanced attacks, such as in memory only backdoors 1 Obtain unpacked/decrypted versions of programs that are packed/encrypted ondisk Detect hidden processes and drivers, such as rootkits Detect recently used and web addresses Detect recently edited files Rootkits and other malware pose a serious threat to the Enterprise. Physical memory forensics offers a unique and powerful way to detect and analyze these threats. A rootkit may hide itself by patching the kernel or hooking functions on a running system, but a physical memory snapshot is analyzed offline and thus is not subject to these bypasses. The simple fact is that for code to execute it must exist in RAM, thus it can be found. Automated scans can detect many suspicious behaviors in running software, including potential rootkits. Combinations of factors can be used to narrow the search. For example, if a keyboard driver is accessing the filesystem, this may indicate a keylogger (see Table 1). Although not guaranteed to be malicious, the behavior is suspicious. 1 Metasploit Meterpreter, etc. White Paper: The Value of Physical Memory for Incident Response Page 3 of 7

4 Table 1 Two suspicious properties found on the "" device driver 2 ZwCreateFile ZwWriteFile ZwCreateFile Import This keyboard driver is accessing the filesystem, check for a keylogger ZwWriteFile Import This keyboard driver is accessing the filesystem, check for a keylogger Multiple factors can contribute to understanding whether software has malicious properties. These can include: Suspicious strings (see table 2) Use of suspicious libraries or functions, such as network or filesystem The combined use of several suspicious functions together Accessing user mode programs from kernel mode Use of protocols such as IRC, SMTP, or POP3 Use of encryption Network capabilities combined with backdoor commands Enumeration of files Use of registry keys to survive reboot Table 2 List of suspicious strings with analyst notes ( rootkit variant) Key logger thread Suspicious string terminated Driver: %s Suspicious string Keyboard hook detached from device... \Device\KeyboardClass0 Keyboard hook detached from device... Successfully created log file... \DosDevices\c:\.txt Scan code '%s' successfully written to file. Suspicious string This is definitely used by rootkits. Searching google revealed that a rootkit called "GMER" may also use this. Looks like it can detach also. Maybe it can be unloaded. Check for log file on system. This looks like a secret log file. Likely keystrokes. Suspicious string 2 MCSI Responder PRO, White Paper: The Value of Physical Memory for Incident Response Page 4 of 7

5 hiding driver The driver looks like it can hide itself. It might not be detected by system tools. To address new and unknown threats, the human analyst must be involved. Although any factor can be suspicious on its own, the combination of several different factors working together can significantly boost the confidence that something malicious has been found. The human analyst can determine the relative importance of each finding and relate them together. In table 2 we see a list of suspicious strings and the notes made by an analyst. The target is a driver calling itself which turns out to be related to a keylogging rootkit. The terms scan code, hiding driver, and Key logger give away what this rootkit is doing. Table 3 Graph of all IRC commands in a rootkit 3 /Victim=[ vic online: /Ip= ] /Trojan Port=[ is Online IP ADDRESS= From: Subject: Vic: is online from Port: &Name= o vq0 zmd)l`q'dgo 3 Graph generated using MCSI Responder PRO Edition (www.mcsi.mantech.com/responder) White Paper: The Value of Physical Memory for Incident Response Page 5 of 7

6 %0A data_004b02e8 data_004b01e PRIVMSG # Vic: IP ADDRESS= Server Port= is Online Please Open your Client to Chat First! NOT DONE Has logged OUT! Has logged IN! Client Opened to chat! Client Closed to chat! The relationships between suspicious strings can be reinforced further by following control flow and cross references, as shown in table 3. When viewed separately, the strings appear to be related, but when graphed we can see for certain they are related. See the graph below. To obtain these cross references requires the ability to extract EXE s and DLL s from the physical memory and then requires a subsequent disassembly step to obtain code and data cross references. Using graphs to explore string relationships is powerful and easy to grasp for people who have no prior reverse engineering experience. Graph based analysis is relatively new to the industry and is significantly less complex than traditional reverse engineering. White Paper: The Value of Physical Memory for Incident Response Page 6 of 7

7 Until recently, analysts who wanted these capabilities had to cobble together a variety of separate tools that only provide partial functionality. Because of the lack of commercially supported products, physical memory forensics has been slow to mature. Most research has resulted in free tools that are limited to specific operating system versions, have command line only interfaces, and have minimal parsing and extraction capabilities. White Paper: The Value of Physical Memory for Incident Response Page 7 of 7

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform

More information

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook

More information

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11 FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory DFRWS 2006: Work in Progress (WIP) Aug 16, 2006 AAron Walters 4TΦ Research Nick L. Petroni Jr. University

More information

Oracle Database Vault: Design Failures

Oracle Database Vault: Design Failures Oracle Database Vault: Design Failures What is Database Vault? Helps protecting against insider threats even when these comes from privileged database users (SYS) Mandatory in certain countries: laws Can

More information

CYBERTRON NETWORK SOLUTIONS

CYBERTRON NETWORK SOLUTIONS CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified

More information

Getting Ahead of Malware

Getting Ahead of Malware IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,

More information

Seqrite Antivirus for Server

Seqrite Antivirus for Server Enterprise Security Solutions by Quick Heal Seqrite Best server security with optimum performance. Product Highlights Easy installation, optimized antivirus scanning, and minimum resource utilization.

More information

Systems. Malware Forensics Field Guide for Windows. Digital Forensics Field Guides. Eoghan Casey. James M. Aquilina. Technical Editor. Curtis W.

Systems. Malware Forensics Field Guide for Windows. Digital Forensics Field Guides. Eoghan Casey. James M. Aquilina. Technical Editor. Curtis W. Malware Forensics Field Guide for Windows Systems Digital Forensics Field Guides Cameron H. Malin Eoghan Casey James M. Aquilina Curtis W. Rose, Technical Editor ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON

More information

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation

More information

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours Ethical Hacking and Information Security Duration Detailed Module Foundation of Information Security Lecture with Hands On Session: 90 Hours Elements of Information Security Introduction As technology

More information

RMAR Technologies Pvt. Ltd.

RMAR Technologies Pvt. Ltd. Course Name : StartXHack V2.0 Ethical Hacking & Cyber Security Course Duration : 2 Days (8Hrs./day) Course Fee : INR 1000/participant Course Module : 1. Introduction to Ethical Hacking a. What is Ethical

More information

5 Steps to Advanced Threat Protection

5 Steps to Advanced Threat Protection 5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious

More information

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.

More information

CRYPTUS DIPLOMA IN IT SECURITY

CRYPTUS DIPLOMA IN IT SECURITY CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information

More information

Operation Liberpy : Keyloggers and information theft in Latin America

Operation Liberpy : Keyloggers and information theft in Latin America Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation

More information

FORBIDDEN - Ethical Hacking Workshop Duration

FORBIDDEN - Ethical Hacking Workshop Duration Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once

More information

Physical Memory Standard Operating Procedures

Physical Memory Standard Operating Procedures MORGAN STANLEY Physical Memory Standard Operating Procedures HBGary Memory Forensic Tools Phil Wallisch 5/11/2010 This document details the procedures that Morgan Stanley CERT will perform to acquire and

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Online Payments Threats

Online Payments Threats July 3, 2012 Introduction...2 Tested Products...2 Used Configuration...3 Real Malware Inspiration...3 Total Scores Chart...4 Conclusion...4 About matousec.com...4 Detailed Descriptions of Tests...5 Detailed

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security Security+ Supported Labs - V1 Lab 1 Network Devices and Technologies - Capturing Network Using tcpdump to Capture Network with Wireshark with Network Miner 2 Secure Network Administration Principles -

More information

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details: Malicious software About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Spyware Doctor Enterprise Technical Data Sheet

Spyware Doctor Enterprise Technical Data Sheet Spyware Doctor Enterprise Technical Data Sheet The Best of Breed Anti-Spyware Solution for Businesses Spyware Doctor Enterprise builds on the strength of the industry-leading and multi award-winning Spyware

More information

Redline Users Guide. Version 1.12

Redline Users Guide. Version 1.12 Redline Users Guide Version 1.12 Contents Contents 1 About Redline 5 Timeline 5 Malware Risk Index (MRI) Score 5 Indicators of Compromise (IOCs) 5 Whitelists 5 Installation 6 System Requirements 6 Install

More information

Keystroke Encryption Technology Explained

Keystroke Encryption Technology Explained Keystroke Encryption Technology Explained Updated February 9, 2008 information@bluegemsecurity.com (800) 650-3670 www.bluegemsecurity.com Executive Summary BlueGem Security is introducing keystroke encryption

More information

Storm Worm & Botnet Analysis

Storm Worm & Botnet Analysis Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing

More information

RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks

RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks RSA Incident Response incident response RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks RSA Security January 2014 RSA Threat Detection Techniques - - Point of Sale Attacks Table

More information

Build Your Own Security Lab

Build Your Own Security Lab Build Your Own Security Lab A Field Guide for Network Testing Michael Gregg WILEY Wiley Publishing, Inc. Contents Acknowledgments Introduction XXI xxiii Chapter 1 Hardware and Gear Why Build a Lab? Hackers

More information

Spyware Analysis. jan.monsch@csnc.ch. Security Event - April 28, 2004 Page 1

Spyware Analysis. jan.monsch@csnc.ch. Security Event - April 28, 2004 Page 1 Spyware Analysis jan.monsch@csnc.ch Security Event - April 28, 2004 Page 1 Content Definition & types of spyware Statistics Hooks Static vs. dynamic software analysis Test environment for spyware Analysis

More information

New Trojan Found: Admin.HLP

New Trojan Found: Admin.HLP ERT Threat Alert New Trojan Found: Admin.HLP Leaks Organizations Data Eyal Benishti Security Researcher, ERT Research Lab 28.08.2012 Contents Executive Summary... 3 When the Help File is Not Very Helpful...

More information

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002 Security Policy MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS ENCRYPTION DLL CRYPTOGRAPHIC MODULE REV 1.3, 10/2002 CONTENTS Module Overview... 1 Scope of Document... 2 Terms and Definitions...

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information

Loophole+ with Ethical Hacking and Penetration Testing

Loophole+ with Ethical Hacking and Penetration Testing Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,

More information

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document

by New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.

More information

Windows Rootkit Overview

Windows Rootkit Overview WHITE PAPER: SYMANTEC SECURITY RESPONSE Windows Rootkit Overview White Paper: Symantec Security Response Windows Rootkit Overview Contents Introduction...4 User Mode Rootkits...4 Kernel Mode Rootkits...5

More information

Threat Events: Software Attacks (cont.)

Threat Events: Software Attacks (cont.) ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Persistence Mechanisms as Indicators of Compromise

Persistence Mechanisms as Indicators of Compromise Persistence Persistence Mechanisms as Indicators of Compromise An automated technology for identifying cyber attacks designed to survive indefinitely the reboot process on PCs White Paper Date: October

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

INFORMATION SECURITY TRAINING CATALOG (2015)

INFORMATION SECURITY TRAINING CATALOG (2015) INFORMATICS AND INFORMATION SECURITY RESEARCH CENTER CYBER SECURITY INSTITUTE INFORMATION SECURITY TRAINING CATALOG (2015) Revision 3.0 2015 TÜBİTAK BİLGEM SGE Siber Güvenlik Enstitüsü P.K. 74, Gebze,

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.

More information

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Eric J. Eifert Vice President, Cyber Defense Division ManTech s Mission, Cyber, & Technology Solutions Presentation Overview

More information

Montgomery College Germantown Campus NW246: Network Defense and Countermeasures Master Course Syllabus

Montgomery College Germantown Campus NW246: Network Defense and Countermeasures Master Course Syllabus Montgomery College Germantown Campus NW246: Network Defense and Countermeasures Master Course Syllabus Course Description: The purpose of this course is to prepare students for Level One of the Security

More information

Practical Threat Intelligence. with Bromium LAVA

Practical Threat Intelligence. with Bromium LAVA Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful

More information

CHAD TILBURY. chad@forensicmethods.com. http://forensicmethods.com @chadtilbury

CHAD TILBURY. chad@forensicmethods.com. http://forensicmethods.com @chadtilbury CHAD TILBURY chad@forensicmethods.com 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches

More information

Network Incident Report

Network Incident Report To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850

More information

Digital Forensics Fundamentals

Digital Forensics Fundamentals Digital Forensics Fundamentals 1 P a g e Table of Contents 1. Overview of Digital Forensics... 3 2. Evaluation of Digital forensic tools... 5 2.1 Encase Digital forensic tool... 5 2.1.1 Benefits with Encase

More information

Welcome To The L.R.F.H.S. Computer Group Wednesday 27 th November 2013

Welcome To The L.R.F.H.S. Computer Group Wednesday 27 th November 2013 Welcome To The L.R.F.H.S. Computer Group Wednesday 27 th November 2013 BACKUP SECURITY AND THE CLOUD BACK UP ALWAYS BACK UP TO AN EXTERNAL DEVICE OR REMOVAL MEDIA- NEVER DIRECTLY ON TO YOUR COMPUTER IF

More information

Host/Platform Security. Module 11

Host/Platform Security. Module 11 Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic

More information

That Point of Sale is a PoS

That Point of Sale is a PoS SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach

More information

Mobile Device Management:

Mobile Device Management: Mobile Device Management: A Risk Discussion for IT Decision Makers Mobile Device Management (MDM) software provides IT organizations with security-relevant capabilities that support the integration of

More information

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4) Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks Security+ Guide to Network Security Fundamentals, Third Edition Chapter 2 Systems Threats and Risks Objectives Describe the different types of software-based attacks List types of hardware attacks Define

More information

Protecting Yourself from Identity Theft

Protecting Yourself from Identity Theft Protecting Yourself from Identity Theft Identity theft is everywhere. In fact, according to a 2013 report by Javelin Research, there is one incident of identity fraud every two seconds. While we cannot

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions 1 Agenda What is Application Whitelisting (AWL) Protection provided by Application

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

Keyword: Cloud computing, service model, deployment model, network layer security.

Keyword: Cloud computing, service model, deployment model, network layer security. Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging

More information

Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM

Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM ISSA DC Chapter March 15, 2011 Presented by: Inno Eroraha, CISSP, CISM, CHFI, PI NetSecurity Corporation 21351 Gentry Drive, Suite 230

More information

DoD Cyber Crime Center

DoD Cyber Crime Center DoD Cyber Crime Center (DC3) Digital Forensics Challenge 2013 Team Northrop Grumman April 30, 2014 Jesse Mayer Northrop Grumman Cyber Security Operations Center DC3 Digital Forensics Challenge Annual Competition

More information

WildFire. Preparing for Modern Network Attacks

WildFire. Preparing for Modern Network Attacks WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends

More information

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan Fahad Ehsan Cyber Security Researcher Where it all started. ------------------------------------------------------------------------------------------ Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt)

More information

egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game.

egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game. egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game. TEHTRI-Security 2010-2015 www.tehtri-security.com Forensic with egambit In this document, we will introduce

More information

Securing Secure Browsers

Securing Secure Browsers Securing Secure Browsers SESSION ID: TRM-T11 Prashant Kumar Verma Sr. Consultant & Head (Security Testing) Paladion Networks @prashantverma21 Agenda Browser Threats Secure Browsers to address threats Secure

More information

Reverse Engineering and Computer Security

Reverse Engineering and Computer Security Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and

More information

RSA Security Anatomy of an Attack Lessons learned

RSA Security Anatomy of an Attack Lessons learned RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack

More information

Memory Forensics & Security Analytics: Detecting Unknown Malware

Memory Forensics & Security Analytics: Detecting Unknown Malware Memory Forensics & Security Analytics: Detecting Unknown Malware SESSION ID: SEC-T09 Fahad Ehsan Associate Director Security Research and Analytics UBS AG Where it all started. ------------------------------------------------------------------------------------------

More information

Alert (TA14-212A) Backoff Point-of-Sale Malware

Alert (TA14-212A) Backoff Point-of-Sale Malware Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity

More information

BYOD AND NEXT- GENERATION MOBILE SECURITY

BYOD AND NEXT- GENERATION MOBILE SECURITY BYOD AND NEXT- GENERATION MOBILE SECURITY Joseph Gan V-Key Inc Session ID: MBS-W02 Session Classification: General Interest Next-Generation Computing Mobile enterprise apps Mobile payments Mobile authentication

More information

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

LASTLINE WHITEPAPER. In-Depth Analysis of Malware LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).

More information

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Information Technology Audit & Forensic Techniques. CMA Amit Kumar Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques

More information

Digital Forensic analysis of malware infected machine Case study ***

Digital Forensic analysis of malware infected machine Case study *** Abstract Digital Forensic analysis of malware infected machine Case study Amulya Podile, Keerthi G & Krishna Sastry Pendyala# Incident Response & Malware Analysis Unit, Digital Forensics CoE, Tata Consultancy

More information

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security Researcher @memfors4all #RSAC

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security Researcher @memfors4all #RSAC SESSION ID: ANF-T09 Detecting Unknown Malware: Security Analytics & Memory Forensics Fahad Ehsan Cyber Security Researcher @memfors4all Where it all Started ------------------------------------------------------------------------------------------

More information

MALWARE REMOVAL TOOL. User Guide. APPLICATION VERSION b MAINTENANCE RELEASE 1

MALWARE REMOVAL TOOL. User Guide. APPLICATION VERSION b MAINTENANCE RELEASE 1 MALWARE REMOVAL TOOL User Guide APPLICATION VERSION 1.0.0 33 b MAINTENANCE RELEASE 1 MALWARE REMOVAL TOOL Thank you for choosing us! This guide will give answers to all your questions. Dear User, Meet

More information

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security

More information

Kautilya: Teensy beyond shells

Kautilya: Teensy beyond shells Kautilya: Teensy beyond shells Kautilya Toolkit for Teensy device Nikhil Mittal 1 P a g e Contents Kautilya Toolkit for Teensy device... 1 Nikhil Mittal... 1 Abstract... 3 Attack Surface and Scenarios...

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Spyware. Summary. Overview of Spyware. Who Is Spying?

Spyware. Summary. Overview of Spyware. Who Is Spying? Spyware US-CERT Summary This paper gives an overview of spyware and outlines some practices to defend against it. Spyware is becoming more widespread as online attackers and traditional criminals use it

More information

Top Ten Cyber Threats

Top Ten Cyber Threats Top Ten Cyber Threats Margaret M. McMahon, Ph.D. ICCRTS 2014 Introduction 2 Motivation Outline How malware affects a system Top Ten (Simple to complex) Brief description Explain impacts Main takeaways

More information

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored

More information

Breach Found. Did It Hurt?

Breach Found. Did It Hurt? ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many

More information

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

This report is a detailed analysis of the dropper and the payload of the HIMAN malware. PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware

More information

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology JungDae Kim (jdcom@ksel.co.kr) ByongKi Park (bgbak@ksel.co.kr) CONTENTS 1 Background Information 2 Vulnerability

More information

ERNW Newsletter 29 / November 2009

ERNW Newsletter 29 / November 2009 ERNW Newsletter 29 / November 2009 Dear Partners and Colleagues, Welcome to the ERNW Newsletter no. 29 covering the topic: Data Leakage Prevention A Practical Evaluation Version 1.0 from 19th of november

More information

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE) Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE) Andreas Greulich, MELANI Swiss Cyber Storm, 18 April 2009 Agenda Part 1: Introduction (~5 ) Infection

More information

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document ESET CYBER SECURITY PRO for Mac Quick Start Guide Click here to download the most recent version of this document ESET Cyber Security Pro provides state-of-the-art protection for your computer against

More information

FORENSIC ANALYSIS Aleš Padrta

FORENSIC ANALYSIS Aleš Padrta FORENSIC ANALYSIS Aleš Padrta CESNET, CESNET-CERTS, FLAB CESNET Czech NREN operator CESNET-CERTS 2004 Established 2008 Accredited CSIRT FLAB Forensic LABoratory Established 6/2011 Support team for CESNET-CERTS

More information

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access The Best First for Beginners who want to become Penetration Testers PTSv2 in pills: Self-paced, online, flexible access 900+ interactive slides and 3 hours of video material Interactive and guided learning

More information

Identifying and Finding Forensic Evidence from Windows Application

Identifying and Finding Forensic Evidence from Windows Application Identifying and Finding Forensic Evidence from Windows Application Funminiyi Olajide, School of Engineering, University of Portsmouth, United Kingdom Nick Savage, School of Engineering, University of Portsmouth,

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

Keylogging Identity The Defense System TM. Whitepaper. Legal Club of America 7771 W. Oakland Park Blvd. #217 Sunrise, Florida 33351 www.legalclub.

Keylogging Identity The Defense System TM. Whitepaper. Legal Club of America 7771 W. Oakland Park Blvd. #217 Sunrise, Florida 33351 www.legalclub. Keylogging Identity The Defense System TM Whitepaper Legal Club of America 7771 W. Oakland Park Blvd. #217 Sunrise, Florida 33351 www.legalclub.com Summary Keyloggers are a serious security threat that

More information

FOR MAC. Quick Start Guide. Click here to download the most recent version of this document

FOR MAC. Quick Start Guide. Click here to download the most recent version of this document FOR MAC Quick Start Guide Click here to download the most recent version of this document ESET Cyber Security Pro provides state-of-the-art protection for your computer against malicious code. Based on

More information

PE Explorer. Heaventools. Malware Code Analysis Made Easy

PE Explorer. Heaventools. Malware Code Analysis Made Easy Heaventools PE Explorer Data Sheet Malware Code Analysis Made Easy Reverse engineers within the anti-virus, vulnerability research and forensics companies face the challenge of analysing a large number

More information

Computer Forensics Incident Response and Live Memory Analysis. Thomas S. Hyslip. East Carolina University

Computer Forensics Incident Response and Live Memory Analysis. Thomas S. Hyslip. East Carolina University Computer Forensics Incident Response and Live Memory Analysis 1 Computer Forensics Incident Response and Live Memory Analysis Thomas S. Hyslip East Carolina University Computer Forensics Incident Response

More information

Reviewer s Guide Kaspersky Internet Security for Mac

Reviewer s Guide Kaspersky Internet Security for Mac Reviewer s Guide Kaspersky Internet Security for Mac 1 Protection for Mac OS X The main window shows all key features such as Scan, Update, Safe Money, and Parental Control in a single place. The current

More information

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................

More information