Computer Forensics Incident Response and Live Memory Analysis. Thomas S. Hyslip. East Carolina University
|
|
- Kellie Shonda Goodwin
- 7 years ago
- Views:
Transcription
1 Computer Forensics Incident Response and Live Memory Analysis 1 Computer Forensics Incident Response and Live Memory Analysis Thomas S. Hyslip East Carolina University
2 Computer Forensics Incident Response and Live Memory Analysis 2 Abstract When a computer system is involved in a security incident such as an intrusion, virus, malware infection, or some other compromise the information security personnel must respond to investigate and mitigate the situation. Until recently the standard procedures were to isolate the computer, disconnect it from the network, and shut it down. Then remove the hard drive, create a forensic image of the hard drive and examine the hard drive for evidence. While this is forensically sound, stops further damage and limits liability, it may be destroying important evidence. Emerging threats such as RAM installed rootkits and malware require computer security professionals to change their standard operating procedures for incident response and incorporate live forensics. This paper exams the different free tools available to computer security professionals to capture an image of the running memory from a Windows operating system and perform a forensic analysis of the image.
3 Computer Forensics Incident Response and Live Memory Analysis 3 Introduction Traditional incident response and computer forensic training teaches students to isolate the affected system and shut it down, then remove the hard drive, create a forensic image of the drive and review the image for evidence in a static laboratory setting. The investigation also includes reviewing log data from firewalls and intrusion detection systems for evidence. While this procedure works fine for incidents such as an employee accessing inappropriate web sites, it is insufficient for computer intrusions or malware infection. Incident responders and computer forensic experts must continually update their procedures and incorporate new technologies. This is especially true for computer intrusions and malware infection. With standard memory ranging from 2GB to 4GB of RAM on personal computers, it is possible for intruders to install rootkits or malware within the RAM. Many hacker tools now use DLL injections, hooks, and other methods to ensure that their code will execute only in memory without ever touching the hard drive. The SQL Slammer worm is one such example of a virus that resides only in memory and never touches the hard drive. Therefore it is important for responders to investigate the RAM and conduct a live analysis of the computer prior to shutting the computer down and losing all the volatile data stored in RAM. This paper examines the new technologies available to acquire an image of the RAM and analyze the data prior to shutting it down.
4 Computer Forensics Incident Response and Live Memory Analysis 4 RAM Acquisition To collect evidence from volatile storage of a compromised system, it is necessary to violate one of the iron rules of computer forensics, Don t touch the keyboard or do anything to a running system. Why has this been the rule? It is to preserve the accuracy of the system s file time stamps. When an incident responder arrives on scene and pulls the power (USSS. p.1) on the compromised system the file time stamps are frozen. The responder then pulls the hard drive, creates a forensic bit for bit copy utilizing a write blocker and uses software to examine the copy. Then at court the responder can testify, that they did not do anything to change the data on the hard drive of the compromised system. While this long standing rule has very valid reasons for existing, there are exceptions. The modern tools used by hackers that were discussed in the introduction require all incident responders to consider the fact that pulling the power from a compromised system to preserve file time stamps may actually lose more evidence than it preserves. Therefore responders must make the decision if they should extract and preserve evidence in RAM, as it may be worth the cost of altering some file time stamps. As during any response, it is imperative that responders maintain meticulous notes of their action, especially if they chose to conduct a live analysis and preserve the evidence in RAM. Extracting evidence from RAM requires some sort of live analysis and interacting with the compromised system. It is important to keep your interactions with the compromised to a minimum and bring our own trusted tools. You do not want to utilize any commands or DLLs from the compromised systems. This is because many of the DLLs and system commands can
5 Computer Forensics Incident Response and Live Memory Analysis 5 be compromised by hacker tools and return invalid results to hide the hacker s presence on the system. The preferred method to utilize your trusted tools in through live CDs that contain the commands and associated DLLs required to execute. While it is possible to create your own live CDs to conduct live analysis, it is beyond the scope of this paper. There are a variety of methods available to capture an image of the running system s memory. The solutions range from proprietary software systems costing thousands of dollars to freeware tools that can be downloaded from the internet. Whatever tool you chose to utilize, it is important to conduct your own tests and validation of the tool. This paper examines the following free live analysis, RAM imaging tools. Mantech s Memory DD Helix Memory DD Developed by Mantech, Memory DD captures a record of physical or random access memory which is lost when the computer is shutdown. Memory DD is a free download available from Mantech s website, Memory DD supports acquiring memory images from Microsoft Windows 2000, Server 2003, XP, and Vista. The download is available as either an executable or a zip file. Version 1.3 is the latest release and operates from a command line within Windows. It is capable of capturing up to 4 GBs of memory from a Windows machine. I found the easiest way to run Memory DD is from a USB thumb drive that is at least 4GBs. This
6 Computer Forensics Incident Response and Live Memory Analysis 6 enables you to capture the memory to the USB thumb drive for later analysis. The command line to capture the memory is I:\> mdd_1.3 o winxp This saves the image of the memory to the output file, winxp, on the I: drive, which in this case is the USB thumb drive. Below is a screen capture of Memory DD dumping 1.2GB of memory from a running Windows XP computer. It took approximately 15 minutes to capture the 1.2GB of memory and Memory DD returned 16 errors during the capture. Figure 1. Memory DD Capture.
7 Computer Forensics Incident Response and Live Memory Analysis 7 Helix Helix is really two resources in one. First it is a Live CD portable operating system that comes with computer forensic and incident response software preinstalled. It includes tools to make bit for bit images of hard drives with MD5 hashing capability, recycle bin analyzers, cookie analyzers for internet explorer and root kit hunters, plus many more. I highly recommend this portable operating system to anyone working in the information security field. Figure 2. Helix Live CD Boot Screen. The second part of the Helix CD is a live analysis tool for running Windows systems. If a computer is suspected of being compromised you can run the Helix CD within Windows on the suspect computer and it will provide you with very valuable information including a list of running process and process IDs, as well as the ability to image running RAID arrays, and the RAM of the suspect computer. When you
8 Computer Forensics Incident Response and Live Memory Analysis 8 first insert the Helix CD-Rom in the compromised system, Helix provides a warning screen to remind you that you are making changes to the running system. Figure 2. Helix Warning. Unlike Memory DD, Helix operates from a Windows GUI environment and Helix gives you the additional option of extracting the RAM to a network share or networked computer via netcat. If you chose to save the image to a local drive, you must attach an external hard drive or USB thumb drive because you do not want to save the image to the local hard drive. Helix also provides the user the ability to split the image and set the block size for the image.
9 Computer Forensics Incident Response and Live Memory Analysis 9 Figure 3. Helix Live Acquisition of Physical RAM. Memory Image Analysis Now that you have captured an image of the running memory from the compromised computer, you can isolate the computer and shut it down. The captured image can then be analyzed in a controlled environment. This paper examines the free RAM analysis tool Volatility. Volatility Volatility is a collection of tools implemented in Python for the examination of RAM images. Version is latest stable release of Volatility, but version 1.3 is available in Beta format. The
10 Computer Forensics Incident Response and Live Memory Analysis 10 software is available for download from In addition to the windows version we used, Volatility is also available for Linux, Cygmin, and OSX Volatility requires python to be installed on the examination computer to operate. Python can be obtained at The available commands and their actions are listed below. connections connscan connscan2 datetime dlllist dmp2raw dmpchk files hibinfo ident memdmp memmap modscan modscan2 modules procdump pslist psscan psscan2 raw2dmp regobjkeys sockets sockscan sockscan2 strings thrdscan thrdscan2 vaddump vadinfo vadwalk Print list of open connections Scan for connection objects Scan for connection objects Get date/time information for image Print list of loaded dlls for each process Convert a crash dump to a raw dump Dump crash dump information Print list of open files for each process Convert hibernation file to linear sample Identify image properties Dump the addressable memory for a process Print the memory map Scan for modules Scan for module objects Print list of loaded modules Dump a process to an executable sample Print list of running processes Scan for EPROCESS objects Scan for process objects Convert a raw dump to a crash dump Print list of open regkeys for each process Print list of open sockets Scan for socket objects Scan for socket objects Match physical offsets to virtual addresses Scan for ETHREAD objects Scan for thread objects Dump the Vad sections to files Dump the VAD info Walk the vad tree
11 Computer Forensics Incident Response and Live Memory Analysis 11 According to Volatile Systems Website, Volatility is able to extract the following information from memory images: Image date and time Running processes Open network sockets Open network connections DLLs loaded for each process Open files for each process Open registry keys for each process OS kernel modules Mapping physical offsets to virtual addresses Virtual Address Descriptor information Addressable memory for each process Memory maps for each process Extract executable samples Scanning examples: processes, threads, sockets, connections, modules The results of Volatility examination are very similar to the output of Microsoft s Windows Sysinternals. Volatility is able to extract the information from the memory image and put it back together in a useful format. The dlllist command is a useful very information as it shows the size and path to all the DLLs used by each running process. This can be very useful in your investigation. As is the output from the pslist command which shows all the running processes on the system. Any hidden files may not show up on the pslist output or dlllist output, but might be present in the output of the psscan command. The psscan command returns the physical address for all the EProcess objects found by psscan. If you find a eprocess with psscan that does not have a corresponding process from pslist and no dlls according to dlllist, then that is most likely your malware or hidden process put in place by the attacker.
12 Computer Forensics Incident Response and Live Memory Analysis 12 As you can see, much useful information can be retrieved from the memory image, that might not have otherwise been discovered. Below is a screen capture of Volatility. Figure 4. Dlllist Conclusion As you can see, there are free tools available to image the memory (RAM) of a running Windows system. The imaging of the RAM is very simple and straight forward and I recommend using the Helix Live CD and a USB thumb drive or external hard drive. The analysis of the memory image is slightly more complicated and the available free programs are still being developed and improved. However, there are commercial programs available that provide in depth analysis of memory images. HBGary Inc ( released Responder
13 Computer Forensics Incident Response and Live Memory Analysis 13 Professional and recently announced they would be working with Guidance Software to include their products with Encase. So, should you acquire an image of the memory during a computer security incident? That depends. For complex intrusions involving malware, I would definitely recommend it. It is better to capture the RAM just in case your standard investigation doesn t reveal any evidence. Then you can analysis the RAM. For standard misuse cases or inappropriate content, it might not be necessary to capture the RAM. But what does it hurt? I agree with Vidas(2006), Shipley and Reeve(2006) that RAM acquisition will become an industry standard and the benefits outweigh the risks(p. 317, p.6). Therefore, I recommend including the process in all responses as part of your standard operating procedure. That way you always have a copy of the RAM just in case, you will become proficient at the process and when you have the complex intrusion you are not imaging the RAM for the first time.
14 Computer Forensics Incident Response and Live Memory Analysis 14 References Broersa, Matthew. (2007). Rootkits Evade Hardware Detection. PCWorld. Burdach, Mariusz. (2006). Physical Memory Forensics. Blackhat Conference Presentation. Carrier, Brian, and Grand, Joe. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation Vol. 1 No. 1. Carrier, Brian. (2002). Open Source Digital Forensics Tools, The Legal Argument. Guidance Software. (2008). HBGary, Inc. (2008). KornBlum, Jesse. (2002). Preservation of Fragile Digital Evidence by First Responders. US Air Force Office of Special Investigations. Digital Forensic Workshop Mantech, International Corporation. (2008). Russinovich, Mark and Soloman, David. (2005). Microsoft Windows Internals. Microsoft Press. Redmond, Washington. Shiply, Todd and Reeve, Henry. (2006). Collecting Evidence from a Running Computer. SEARCH, The
15 Computer Forensics Incident Response and Live Memory Analysis 15 National Consortium for Justice and Internationals Standards. (p. 6) US Secret Service. (2008). Best Practices for Seizing Electronic Evidence. (p. 1) Vidas, Timothy. (2006). The Acquisition and Analysis of Random Access Memory. Journal of Digital Forensic Practice. December 2006 Issue. (p. 317) Volatile Systems. (2008).
Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM
Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM ISSA DC Chapter March 15, 2011 Presented by: Inno Eroraha, CISSP, CISM, CHFI, PI NetSecurity Corporation 21351 Gentry Drive, Suite 230
More informationDigital Forensic analysis of malware infected machine Case study ***
Abstract Digital Forensic analysis of malware infected machine Case study Amulya Podile, Keerthi G & Krishna Sastry Pendyala# Incident Response & Malware Analysis Unit, Digital Forensics CoE, Tata Consultancy
More informationDetecting Malware With Memory Forensics. Hal Pomeranz SANS Institute
Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationComputer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis
Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis Cal Waits Joseph Ayo Akinyele Richard Nolan Larry Rogers August 2008 TECHNICAL NOTE CMU/SEI-2008-TN-017 CERT Program Unlimited
More informationCHAD TILBURY. chad@forensicmethods.com. http://forensicmethods.com @chadtilbury
CHAD TILBURY chad@forensicmethods.com 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches
More informationQ-CERT Workshop. Matthew Geiger mgeiger@cert.org. 2007 Carnegie Mellon University
Memory Analysis Q-CERT Workshop Matthew Geiger mgeiger@cert.org 2007 Carnegie Mellon University Outline Why live system forensics? Previous techniques Drawbacks and new thinking Approaches to memory acquisition
More informationMSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationFATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11
FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory DFRWS 2006: Work in Progress (WIP) Aug 16, 2006 AAron Walters 4TΦ Research Nick L. Petroni Jr. University
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationFreeware Live Forensics tools evaluation and operation tips
Freeware Live Forensics tools evaluation and operation tips Ricci IEONG, Principal Consultant, ewalker Consulting Ltd Abstract Highlighted by a digital forensics investigation specialists from FBI in DFRWS
More informationChapter 14 Analyzing Network Traffic. Ed Crowley
Chapter 14 Analyzing Network Traffic Ed Crowley 10 Topics Finding Network Based Evidence Network Analysis Tools Ethereal Reassembling Sessions Using Wireshark Network Monitoring Intro Once full content
More informationLive System Forensics
Live System Forensics By: Tim Fernalld & Colby Lahaie Patrick Leahy Center for Digital Investigation Champlain College 2/22/12 Contents Contents... 1 1 Introduction... 2 1.1 Research Statement... 2 1.2
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationRobotics Core School 1
Robotics Core School 1 Robotics Core School 2 Cyber Forensics & Crime Investigation This workshop is dedicated on Cyber Forensics & Crime Investigation. Computer Forensics is a detailed and scientific
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationThe Process of Acquiring Live Systems
The Process of Acquiring Live Systems Daniel DeFreez Jonathan McCoy 2009 Grant funding from Southern Oregon University Abstract This paper describes a process for acquiring a live system independent of
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 6, 2015 An overview to incident response Detection Analysis Containment Investigation
More informationOpen Source and Incident Response
Open Source and Incident Response Joe Lofshult, CISSP, GCIH 1 Agenda Overview Open Source Tools FIRE Demonstration 2 Overview Incident Adverse event that threatens security in computing systems and networks.
More informationForensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)
s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationDigital Forensic Tool for Decision Making in Computer Security Domain
Digital Forensic Tool for Decision Making in Computer Security Domain S. K. Khode 1,V. N. Pahune 2 and M. R. Sayankar 3 1, 2, 3 Computer Engineering Department of Bapurao Deshmukh College of Engineering,
More informationDigital Forensics & e-discovery Services
Digital Forensics & e-discovery Services U.S. Security Associates Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities
More informationAgilent Technologies Electronic Measurements Group Computer Virus Control Program
Agilent Technologies Electronic Measurements Group Computer Virus Control Program Agilent Technologies Electronic Measurements Group (EMG) recognizes the potential risk of computer virus infection that
More informationDigital Forensics & e-discovery Services
Digital Forensics & e-discovery Services Andrews International Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities
More informationEnterprise Incident Response: Network Intrusion Case Studies and Countermeasures
Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Eric J. Eifert Vice President, Cyber Defense Division ManTech s Mission, Cyber, & Technology Solutions Presentation Overview
More informationITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT
ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct
More informationIntroduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics
Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating
More informationDigital Forensics. Larry Daniel
Digital Forensics Larry Daniel Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters
More informationPORTABLE OPERATING SYSTEMS AND INFORMAITON SECURITY RISKS
Portable Operating Systems and Information Security Risks 1 PORTABLE OPERATING SYSTEMS AND INFORMAITON SECURITY RISKS Portable Operating Systems and Information Security Risks Thomas S. Hyslip East Carolina
More informationDoD Cyber Crime Center
DoD Cyber Crime Center (DC3) Digital Forensics Challenge 2013 Team Northrop Grumman April 30, 2014 Jesse Mayer Northrop Grumman Cyber Security Operations Center DC3 Digital Forensics Challenge Annual Competition
More informationTHE ROLE OF IDS & ADS IN NETWORK SECURITY
THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker
More informationA Study on the Live Forensic Techniques for Anomaly Detection in User Terminals
A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals Ae Chan Kim 1, Won Hyung Park 2 and Dong Hoon Lee 3 1 Dept. of Financial Security, Graduate School of Information Security,
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationLive View. A New View On Forensic Imaging. Matthiew Morin Champlain College
Live View A New View On Forensic Imaging Matthiew Morin Champlain College Morin 1 Executive Summary The main purpose of this paper is to provide an analysis of the forensic imaging tool known as Live View.
More informationResponding to the Digital Crime Scene: Gathering Volatile Data
Responding to the Digital Crime Scene: Gathering Volatile Data Inno Eroraha, CISSP, CISM, CISA, CHFI, PI Founder & Chief Strategist NetSecurity Corporation October 29, 2008 Presentation Objectives To discuss
More informationUnderstanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them
Lab Exercises Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Review Questions 1) In class, we made the distinction between a front-door attack and
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationWithout a Trace: Forensic Secrets for Windows Servers. BlackHat Windows 2004. Presented by Mark Burnett and James C. Foster
Without a Trace: Forensic Secrets for Windows Servers BlackHat Windows 2004 Presented by Mark Burnett and James C. Foster Agenda Introduction Server Time Settings File Changes Tool Demo: Logz Recreating
More informationLand Information New Zealand (LINZ) SALT Database. Migration from original hardware to virtualised hardware: Process Documentation
Land Information New Zealand (LINZ) SALT Database Migration from original hardware to virtualised hardware: Process Documentation Contents Migration from original hardware to virtualised hardware: Process
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationUSM IT Security Council Guide for Security Event Logging. Version 1.1
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationfinding malware on compromised Windows machines
S TEVEN ALEXANDER finding malware on compromised Windows machines Steven is a programmer for Merced College. He manages the college s intrusion detection system. alexander.steven@sbcglobal.net This article
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 2 Systems Threats and Risks Objectives Describe the different types of software-based attacks List types of hardware attacks Define
More informationInformation Technology Audit & Forensic Techniques. CMA Amit Kumar
Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationAttacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014
Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014 Alex Zacharis Nikos Tsagkarakis info@census-labs.com Census S.A. http://census-labs.com/ Contents Why target travelers?
More informationTechniques and Tools for Recovering and Analyzing Data from Volatile Memory
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Techniques
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationCapturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013
Capturing a Forensic Image By Justin C. Klein Keane 12 February, 2013 Before you Begin The first step in capturing a forensic image is making an initial determination as to the
More informationDigital forensic techniques for static analysis of NTFS images
Digital forensic techniques for static analysis of NTFS images Mamoun Alazab Internet Commerce Security Laboratory University of Ballarat, Australia m.alazab@ballarat.edu.au Sitalakshmi Venkatraman Internet
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationSecurity Consultant Scenario INFO 517-900 Term Project. Brad S. Brady. Drexel University
Security Consultant Scenario INFO 517-900 Term Project Drexel University Author Note This paper was prepared for INFO-517-900 taught by Dr. Scott White. Table of Contents ABSTRACT.1 THE INTERVIEW...2 THE
More informationVolatile Memory Acquisition via Warm Boot Memory Survivability
Volatile Memory Acquisition via Warm Boot Memory Survivability Timothy Vidas Carnegie Mellon University tvidas@cmu.edu Abstract As with other areas of digital forensics the validity and in some cases the
More informationVMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.
VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *If you are using
More informationComputer Forensics Basics, First Responder, Collection of Evidence
May 7, 2008 1 Computer Forensics Basics, First Responder, Collection of Evidence Omveer Singh Joint Director / Scientist D omveer@cert-in.org.in Indian Computer Emergency Response Team (CERT-In) Department
More informationBoston University Security Awareness. What you need to know to keep information safe and secure
What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately
More informationCOMPREHENSIVE STUDY OF DIGITAL FORENSICS
COMPREHENSIVE STUDY OF DIGITAL FORENSICS Jatinder kaur, Gurpal Singh SMCA, Thapar University, Patiala-147004, India jyoti929@gmail.com, gurpalsingh123@gmail.com Abstract This paper presenting the review
More informationPMOD Installation on Linux Systems
User's Guide PMOD Installation on Linux Systems Version 3.7 PMOD Technologies Linux Installation The installation for all types of PMOD systems starts with the software extraction from the installation
More informationDeveloping Computer Forensics Solutions for Terabyte Investigations
Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of
More informationCourse Title: Penetration Testing: Network & Perimeter Testing
Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics
More informationCOWLEY COLLEGE & Area Vocational Technical School
COWLEY COLLEGE & Area Vocational Technical School COURSE PROCEDURE FOR Student Level: This course is open to students on the college level in either the freshman or sophomore year. Prerequisites: Basic
More informationHow to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01
How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot
More informationWhere is computer forensics used?
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
More informationDetermining VHD s in Windows 7 Dustin Hurlbut
Introduction Windows 7 has the ability to create and mount virtual machines based upon launching a single file. The Virtual Hard Disk (VHD) format permits creation of virtual drives that can be used for
More informationY R O. Memory Forensics: A Volatility Primer M E M. Mariano Graziano. Security Day - Lille1 University January 2015 - Lille, France
emory Forensics: A Volatility Primer ariano Graziano Security Day - Lille1 University January 2015 - Lille, France whoami Ph.D student at urecom (France) sc from Politecnico di Torino (Italy) ain topics:
More informationCOMPUTER-BASED TESTING INFORMATION
Michigan Supreme Court BOARD OF LAW EXAMINERS Michigan Hall of Justice P.O. Box 30052 Lansing, MI 48909 Phone (517) 373-4453 ble-info@courts.mi.gov COMPUTER-BASED TESTING INFORMATION Michigan Supreme Court
More informationAdvanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference 2012 10/03/2012
Advanced Registry Forensics with Registry Decoder Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference 2012 10/03/2012 Who am I? Senior Security Researcher @ DFS Published Researcher
More informationSTUDY GUIDE CHAPTER 4
STUDY GUIDE CHAPTER 4 True/False Indicate whether the statement is true or false. 1. A(n) desktop operating system is designed for a desktop or notebook personal computer. 2. A(n) mirrored user interface
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationRedline Users Guide. Version 1.12
Redline Users Guide Version 1.12 Contents Contents 1 About Redline 5 Timeline 5 Malware Risk Index (MRI) Score 5 Indicators of Compromise (IOCs) 5 Whitelists 5 Installation 6 System Requirements 6 Install
More informationEnCase Portable Demo P A G E 0
EnCase Portable Demo P A G E 0 EnCase Portable Easy to Use Collection Solution Brent Botta Director of ediscovery Solution Agenda P A G E 2 EnCase Portable Solution What is it? Business Issues to Utilize
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics Objectives Understand Internet fundamentals Understand network basics Acquire data on a Linux computer Guide
More informationTZWorks Windows Event Log Viewer (evtx_view) Users Guide
TZWorks Windows Event Log Viewer (evtx_view) Users Guide Abstract evtx_view is a standalone, GUI tool used to extract and parse Event Logs and display their internals. The tool allows one to export all
More informationProf. Christos Xenakis, Dr. Christoforos Ntantogian Department of Digital Systems University of Piraeus, Greece
Prof. Christos Xenakis, Dr. Christoforos Ntantogian Department of Digital Systems University of Piraeus, Greece University of Piraeus, Greece Department of Digital Systems System Security Laboratory founded
More informationSimple Powerful. Efficient! Inventory. Network Audit and Computer Inventory Within Minutes. DATA CONCEPT software. PC Hardware Inventory
PC Hardware Software audit and license management Network scan Simple Powerful Collected data processing Efficient! Network Audit and Computer Within Minutes Summary Synexsys (SXSi) is a simple and powerful
More informationComparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology
Comparing and Contrasting Windows and Linux Forensics Zlatko Jovanovic International Academy of Design and Technology Abstract Windows and Linux are the most common operating systems used on personal computers.
More informationMaking the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION
Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise
More informationVISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation
VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook
More informationAvira Rescue System. HowTo
Avira Rescue System HowTo Table of contents 1. Introduction... 3 2. System Requirements... 4 3. Product availability... 4 4. Product features... 5 5. Using the Rescue System... 6 5.1 The BIOS setup...6
More informationForensically Determining the Presence and Use of Virtual Machines in Windows 7
Forensically Determining the Presence and Use of Virtual Machines in Windows 7 Introduction Dustin Hurlbut Windows 7 has the ability to create and mount virtual machines based upon launching a single file.
More informationusing memory dumps in digital forensics
SAM STOVER AND MATT DICKERSON using memory dumps in digital forensics Stover is an independent security researcher with experience in network- and host-based forensics. sam.stover@gmail.com Matt Dickerson
More informationIncident Response Plan for PCI-DSS Compliance
Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible
More informationIMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS
Chapter 18 IMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS Franscois van Staden and Hein Venter Abstract This paper proposes the use of monitoring tools to record data in support of
More informationThis guide will go through the common ways that a user can make their computer more secure.
A beginners guide in how to make a Laptop/PC more secure. This guide will go through the common ways that a user can make their computer more secure. Here are the key points covered: 1) Device Password
More informationTop Ten Cyber Threats
Top Ten Cyber Threats Margaret M. McMahon, Ph.D. ICCRTS 2014 Introduction 2 Motivation Outline How malware affects a system Top Ten (Simple to complex) Brief description Explain impacts Main takeaways
More informationOverview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationComputing forensics: a live analysis
April 18th, 2005 1 2 3 Objectives Evidence acquisition Recovery and examination of suspect digital evidence (think Warrick Brown on CSI) Hardware: servers, workstations, laptops, PDAs, mobiles, cameras
More informationCollecting Windows Security Audit Log data with NXLog and Sysmon. Collecting Windows Security Audit Log data with NXLog and Sysmon
Collecting Windows Security Audit Log data with NXLog and Sysmon i Collecting Windows Security Audit Log data with NXLog and Sysmon Collecting Windows Security Audit Log data with NXLog and Sysmon ii Contents
More informationCERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford
CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS Brian Carrier & Eugene H. Spafford Center for Education and Research in Information Assurance and Security, Purdue University,
More informationGetting Physical with the Digital Investigation Process
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
More information