CHAD TILBURY.
|
|
- Benedict Hoover
- 8 years ago
- Views:
Transcription
1
2 CHAD TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches 0 SANS Digital Forensics and Incident Response Instructor & Author
3 The Year of Memory Forensics? Linux Analysis Memory Timelining Mac OS X Analysis Volatile Registry Analysis 64 bit support Live Memory Analysis Whitelisting
4 Old School vs. New School vs.
5 Mac and Linux Memory Forensics
6 Mac Memory Reader 0 Runs on Mac OS X , PowerPC, Intel, x86, x64 0 Generates a Mach-O file or raw dump of memory (-P) 0 Optional image hashing (-H) 0 Load kernel extension to fake /dev/mem only (-k) 0 Simple and effective!
7 There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data. -Mac Memory Reader help file
8 Mac Memoryze 0 Dump memory 0 sudo macmemoryze dump f mem.dmp 0 Analysis (just the basics): 0 proclist 0 proclist w (similar to lsof) 0 proclist c (carve for processes) 0 kextlist 0 kextlist c (carve for kernel extensions) 0 Enumerate System Call Table and Mach Trap Table 0 Live analysis capable (do not include f option)
9 Mac Memoryze Proclist
10 Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp /wiki/macmemoryforensics
11 Volatility + Mac
12 Linux Memory Acquisition 0 Old School: 0 dd if=/dev/kmem 0 Fmem kernel module 0 Redhat Crash Dump Utilities 0 New School
13 Volatility + Linux = System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof
14 linux_yarascan
15 linux_bash
16 Memory Timelining
17 What is Timeliner? 0 Set of Volatility plugins to collect time information from memory artifacts 0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files 0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs 0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format
18 Purpose Memory Timelining timeliner Timeliner collects timestamps from memory artifacts and outputs them in a timeline format Important Parameters Send output to a delimited file (--output-file=file_name) v2.1 Create output in body file format (--output=body) v2.3 Log2Timeline output format (pending) v2.4?? Investigative Notes Compatible with XP and Win7: automatically adjusts helper plugins Output can voluminous; best practice is to use --output-file The output is not currently compatible with other timeline formats Timeliner can take hours to run be patient! The -h help information currently lists many incorrect options
19 Example Output: Timeliner Processes Column Header Column Header 1 Creation Time 5 Parent Process ID 2 Artifact Type (PROCESS) 6 Exit Time 3 Process Name 7 EPROCESS Offset 4 Process ID
20 Timeliner Example
21 Redline Time Wrinkles
22 Live Response & Live Memory Analysis
23 Old School Batch Scripts
24 Mandiant Redline Collector
25 Redline Portable Collector
26 Live Memory Analysis Who Cares? 0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory 0 Verification done using file certificates stored on-disk 0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files 0 Must have access to file system 0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries 0 Requires access to Page File
27 Narrowing Your Focus with Live Analysis
28 Whitelist Filtering 0 ID known good hashes from live memory analysis 0 Redline Options Whitelist Management 169 vs. 12 Items
29 Live Memory Analysis with Volatility 0 Winpmem 0 Raw, crash dump, and output to stdout 0 Direct analysis of running kernel (-l switch) 0 Optional write support! Volatility Technology Preview Branch Includes interactive shell (similar to volshell) -> the future of Volatility?
30 Live Analysis with winpmem
31 Live Response with Volatility
32 Good Day or Bad Day?
33 Old School doskey
34 Memory Carving
35 Purpose Typed Commands: cmdscan & consoles Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue Important Parameters None Investigative Notes Gathering command history and console output can give insight into user / attacker activities cmdscan provides information from the command history buffer consoles prints commands (inputs) + screen buffer (outputs) Plugins can identify data from active and closed sessions
36 cmdscan Typed Commands: cmdscan & consoles
37 Old School pclip Find pcclip.exe at (or just get infected with Zeus)
38 Purpose Clipboard Contents: clipboard Extract contents of windows clipboard Important Parameters Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard) Investigative Notes Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.) Works on both XP/2003 and Windows 7/2008 systems In some cases, the clipboard only holds a pointer to the clipped content (i.e. the full path for a copied file)
39 Volatility Clipboard Contents: clipboard
40 Additional References BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf 0 DFIROnline Memory Forensics with Michael Cohen :
41 Thank You! computer-forensics.sans.org/blog
42
Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute
Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,
More informationRedline Users Guide. Version 1.12
Redline Users Guide Version 1.12 Contents Contents 1 About Redline 5 Timeline 5 Malware Risk Index (MRI) Score 5 Indicators of Compromise (IOCs) 5 Whitelists 5 Installation 6 System Requirements 6 Install
More informationPTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference
PTK Forensics Dario Forte, Founder and Ceo DFLabs The Sleuth Kit and Open Source Digital Forensics Conference What PTK is about PTK forensics is a computer forensic framework based on command line tools
More informationA Day in the Life of a Cyber Tool Developer
A Day in the Life of a Cyber Tool Developer by Jonathan Tomczak jon@tzworks.net Jonathan Tomczak ( Front Man ) Software Engineer w/ over 7 years experience working in software and web development Dave
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationRedline Users Guide. Please visit our forums: https://forums.mandiant.com/
Redline Users Guide Please visit our forums: https://forums.mandiant.com/ MANDIANT Redline Users Guide MANDIANT Corporation MANDIANT Redline Users Guide Disclaimer Copyright 2012 Mandiant Corporation.
More informationRedline User Guide. Release 1.14
Redline User Guide Release 1.14 FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other countries. All other trademarks are the property of their respective
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationGRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan
Fahad Ehsan Cyber Security Researcher Where it all started. ------------------------------------------------------------------------------------------ Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt)
More informationMemory Forensics & Security Analytics: Detecting Unknown Malware
Memory Forensics & Security Analytics: Detecting Unknown Malware SESSION ID: SEC-T09 Fahad Ehsan Associate Director Security Research and Analytics UBS AG Where it all started. ------------------------------------------------------------------------------------------
More informationMemory Forensics: Collecting & Analyzing Malware Artifacts from RAM
Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM ISSA DC Chapter March 15, 2011 Presented by: Inno Eroraha, CISSP, CISM, CHFI, PI NetSecurity Corporation 21351 Gentry Drive, Suite 230
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 6, 2015 An overview to incident response Detection Analysis Containment Investigation
More informationRepublic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum
Republic Polytechnic School of Information and Communications Technology C6 Operating System Concepts Module Curriculum Module Description: This module examines the fundamental components of single computer
More informationDetecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security Researcher @memfors4all #RSAC
SESSION ID: ANF-T09 Detecting Unknown Malware: Security Analytics & Memory Forensics Fahad Ehsan Cyber Security Researcher @memfors4all Where it all Started ------------------------------------------------------------------------------------------
More informationVISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation
VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook
More informationEVTXtract. Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, 2013. Mandiant Corporation. All rights reserved.
EVTXtract Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, 2013 What do we have here today? A technical presentation on a novel forensic technique for recovering past
More informationFATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11
FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory DFRWS 2006: Work in Progress (WIP) Aug 16, 2006 AAron Walters 4TΦ Research Nick L. Petroni Jr. University
More informationForensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)
s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix
More informationDigital Forensic analysis of malware infected machine Case study ***
Abstract Digital Forensic analysis of malware infected machine Case study Amulya Podile, Keerthi G & Krishna Sastry Pendyala# Incident Response & Malware Analysis Unit, Digital Forensics CoE, Tata Consultancy
More informationTZWorks Windows Event Log Viewer (evtx_view) Users Guide
TZWorks Windows Event Log Viewer (evtx_view) Users Guide Abstract evtx_view is a standalone, GUI tool used to extract and parse Event Logs and display their internals. The tool allows one to export all
More informationDigital Forensics. Module 4 CS 996
Digital Forensics Module 4 CS 996 Hard Drive Forensics Acquisition Bit for bit copy Write protect the evidence media EnCase for DOS Safeback (NTI: www.forensics-intl.com) Analysis EnCase FTK (www.accessdata.com)
More informationJust EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012
Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 What is e-discovery Electronically Stored Information (ESI) Discover or Monitor for Fraudulent Activity Tools used
More informationELEC 377. Operating Systems. Week 1 Class 3
Operating Systems Week 1 Class 3 Last Class! Computer System Structure, Controllers! Interrupts & Traps! I/O structure and device queues.! Storage Structure & Caching! Hardware Protection! Dual Mode Operation
More informationRunning a Program on an AVD
Running a Program on an AVD Now that you have a project that builds an application, and an AVD with a system image compatible with the application s build target and API level requirements, you can run
More informationImpact of Digital Forensics Training on Computer Incident Response Techniques
Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,
More informationFORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI
FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE
More informationOnline Backup Client User Manual
Online Backup Client User Manual Software version 3.21 For Linux distributions January 2011 Version 2.0 Disclaimer This document is compiled with the greatest possible care. However, errors might have
More informationStop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats
Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats Jody C. Patilla The Johns Hopkins University Session ID: TECH-107 Session Classification: Intermediate Objectives Get more out
More informationUsing Process Monitor
Using Process Monitor Process Monitor Tutorial This information was adapted from the help file for the program. Process Monitor is an advanced monitoring tool for Windows that shows real time file system,
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
More informationNetwork Traffic Analysis
2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing
More informationCode Estimation Tools Directions for a Services Engagement
Code Estimation Tools Directions for a Services Engagement Summary Black Duck software provides two tools to calculate size, number, and category of files in a code base. This information is necessary
More informationCreating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.
Creating a More Secure Device with Windows Embedded Compact 7 Douglas Boling Boling Consulting Inc. About Douglas Boling Independent consultant specializing in Windows Mobile and Windows Embedded Compact
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationSearch and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE
Search and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE Who am I? Michael Boman, Malware Researcher Malware Research Institute Provide the community with knowledge and tools Detecting
More information1. Product Information
ORIXCLOUD BACKUP CLIENT USER MANUAL LINUX 1. Product Information Product: Orixcloud Backup Client for Linux Version: 4.1.7 1.1 System Requirements Linux (RedHat, SuSE, Debian and Debian based systems such
More informationOnline Backup Client User Manual Linux
Online Backup Client User Manual Linux 1. Product Information Product: Online Backup Client for Linux Version: 4.1.7 1.1 System Requirements Operating System Linux (RedHat, SuSE, Debian and Debian based
More informationChapter 14 Analyzing Network Traffic. Ed Crowley
Chapter 14 Analyzing Network Traffic Ed Crowley 10 Topics Finding Network Based Evidence Network Analysis Tools Ethereal Reassembling Sessions Using Wireshark Network Monitoring Intro Once full content
More informationF-Secure Internet Security 2014 Data Transfer Declaration
F-Secure Internet Security 2014 Data Transfer Declaration The product s impact on privacy and bandwidth usage F-Secure Corporation April 15 th 2014 Table of Contents Version history... 3 Abstract... 3
More informationRecoveryVault Express Client User Manual
For Linux distributions Software version 4.1.7 Version 2.0 Disclaimer This document is compiled with the greatest possible care. However, errors might have been introduced caused by human mistakes or by
More informationQ-CERT Workshop. Matthew Geiger mgeiger@cert.org. 2007 Carnegie Mellon University
Memory Analysis Q-CERT Workshop Matthew Geiger mgeiger@cert.org 2007 Carnegie Mellon University Outline Why live system forensics? Previous techniques Drawbacks and new thinking Approaches to memory acquisition
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationOnline Backup Linux Client User Manual
Online Backup Linux Client User Manual Software version 4.0.x For Linux distributions August 2011 Version 1.0 Disclaimer This document is compiled with the greatest possible care. However, errors might
More informationSecurity Intelligence Services. Cybersecurity training. www.kaspersky.com
Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative
More informationOnline Backup Client User Manual
For Linux distributions Software version 4.1.7 Version 2.0 Disclaimer This document is compiled with the greatest possible care. However, errors might have been introduced caused by human mistakes or by
More informationAdvanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference 2012 10/03/2012
Advanced Registry Forensics with Registry Decoder Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference 2012 10/03/2012 Who am I? Senior Security Researcher @ DFS Published Researcher
More informationAs shown, the emulator instance connected to adb on port 5555 is the same as the instance whose console listens on port 5554.
Tools > Android Debug Bridge Android Debug Bridge (adb) is a versatile tool lets you manage the state of an emulator instance or Android-powered device. It is a client-server program that includes three
More informationApplication Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions
Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions 1 Agenda What is Application Whitelisting (AWL) Protection provided by Application
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationSophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC
WHITE PAPER Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC www.openioc.org OpenIOC 1 Table of Contents Introduction... 3 IOCs & OpenIOC... 4 IOC Functionality... 5
More informationWINDOWS PROCESSES AND SERVICES
OBJECTIVES: Services o task manager o services.msc Process o task manager o process monitor Task Scheduler Event viewer Regedit Services: A Windows service is a computer program that operates in the background.
More informationEvolving Threat Landscape
Evolving Threat Landscape Briefing Overview Changing Threat Landscape Profile of the Attack Bit9 Solution Architecture Demonstartion Questions Growing Risks of Advanced Threats APT is on the rise 71% increase
More informationMicrosoft Windows PowerShell v2 For Administrators
Course 50414B: Microsoft Windows PowerShell v2 For Administrators Course Details Course Outline Module 1: Introduction to PowerShell the Basics This module explains how to install and configure PowerShell.
More informationNetSpective Logon Agent Guide for NetAuditor
NetSpective Logon Agent Guide for NetAuditor The NetSpective Logon Agent The NetSpective Logon Agent is a simple application that runs on client machines on your network to inform NetSpective (and/or NetAuditor)
More informationVitalJacket SDK v1.0.07 Technical Specifications
VitalJacket SDK v1.0.07 Technical Specifications Edíficio Olympus II LEGAL NOTICE AND DISCLAIMER ATENTION: Although VitalJacket is a certified medical device, its developer version is NOT certified for
More informationMore Efficient Virtualization Management: Templates
White Paper More Efficient Virtualization Management: Templates Learn more at www.swsoft.com/virtuozzo Published: November 2006 Revised: November 2006 Table of Contents Table of Contents... 2 OS, Middleware
More informationMSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationHi and welcome to the Microsoft Virtual Academy and
Hi and welcome to the Microsoft Virtual Academy and 2012 Microsoft Corporation 1 the start of the Windows 8 Security Insights training. My name is Milad Aslaner I m part of the Premier Field Engineering
More informationWhat s New in Centrify Server Suite 2014
CENTRIFY SERVER SUITE 2014 WHAT S NEW What s New in Centrify Server Suite 2014 The new Centrify Server Suite 2014 introduces major new features that simplify risk management and make regulatory compliance
More informationSAIP 2012 Performance Engineering
SAIP 2012 Performance Engineering Author: Jens Edlef Møller (jem@cs.au.dk) Instructions for installation, setup and use of tools. Introduction For the project assignment a number of tools will be used.
More informationEXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.
Non-intrusive, authenticated scanning for OT & IT environments The situation: convenience vs. security Interconnectivity between organizations and corporate networks, the internet and the cloud and thus
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationCOMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command... 10 Document Revision History... 10
LabTech Commands COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command... 10 Document Revision History... 10 Overview Commands in the LabTech Control Center send specific instructions
More informationForensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationWho DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store
Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Mike Middleton Justin Prosco Mandiant, A FireEye Company Mike Middleton Principal Consultant Joined
More informationWebSphere Application Server security auditing
Copyright IBM Corporation 2008 All rights reserved IBM WebSphere Application Server V7 LAB EXERCISE WebSphere Application Server security auditing What this exercise is about... 1 Lab requirements... 1
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationSnare System Version 6.3.4 Release Notes
Snare System Version 6.3.4 Release Notes is pleased to announce the release of Snare Server Version 6.3.4. Snare Server Version 6.3.4 New Features The behaviour of the Snare Server reflector has been modified
More informationAll Information is derived from Mandiant consulting in a non-classified environment.
Disclaimer: All Information is derived from Mandiant consulting in a non-classified environment. Case Studies are representative of industry trends and have been derived from multiple client engagements.
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationCICS Transactions Measurement with no Pain
CICS Transactions Measurement with no Pain Prepared by Luiz Eduardo Gazola 4bears - Optimize Software, Brazil December 6 10, 2010 Orlando, Florida USA This paper presents a new approach for measuring CICS
More informationEC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
More informationY R O. Memory Forensics: A Volatility Primer M E M. Mariano Graziano. Security Day - Lille1 University January 2015 - Lille, France
emory Forensics: A Volatility Primer ariano Graziano Security Day - Lille1 University January 2015 - Lille, France whoami Ph.D student at urecom (France) sc from Politecnico di Torino (Italy) ain topics:
More informationHow To Fix A Snare Server On A Linux Server On An Ubuntu 4.5.2 (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking
Snare System Version 6.3.5 Release Notes is pleased to announce the release of Snare Server Version 6.3.5. Snare Server Version 6.3.5 Bug Fixes: The Agent configuration retrieval functionality within the
More informationEmbedded Software development Process and Tools: Lesson-4 Linking and Locating Software
Embedded Software development Process and Tools: Lesson-4 Linking and Locating Software 1 1. Linker 2 Linker Links the compiled codes of application software, object codes from library and OS kernel functions.
More informationChapter 2 System Structures
Chapter 2 System Structures Operating-System Structures Goals: Provide a way to understand an operating systems Services Interface System Components The type of system desired is the basis for choices
More informationBuild Your Own Security Lab
Build Your Own Security Lab A Field Guide for Network Testing Michael Gregg WILEY Wiley Publishing, Inc. Contents Acknowledgments Introduction XXI xxiii Chapter 1 Hardware and Gear Why Build a Lab? Hackers
More informationOne-byte Modification for Breaking Memory Forensic Analysis
One-byte Modification for Breaking Memory Forensic Analysis Takahiro Haruyama / Hiroshi Suzuki Internet Initiative Japan Inc. for submission Summary Memory Forensics Overview Memory Acquisition Memory
More informationDr. Lodovico Marziale Managing Partner 504ENSICS, LLC vico@504ensics.com
Dr. Lodovico Marziale Managing Partner 504ENSICS, LLC vico@504ensics.com Education Ph.D. in Computer Science, University of New Orleans, 2009. Dissertation Topic: Advanced Techniques for Improving the
More informationHost Checker. Configuration Guide
Host Checker Configuration Guide Overview... 2 Client Side requirements for Host Checker:... 2 Qualified platforms:... 2 Compatible platforms:... 2 Windows clients... 3 Installer Package Files and File
More informationTSPrint - Usage Guide. Usage Guide. TerminalWorks TSPrint Usage Guide. support@terminalworks.com
Usage Guide TerminalWorks TSPrint Usage Guide Page 1 Contents TSPrint license system... 4 Software requirements... 5 Installation... 6 TSPrint client installation... 6 TSPrint server installation... 10
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts
AlienVault Unified Security Management (USM) 4.x-5.x Deploying HIDS Agents to Linux Hosts USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. AlienVault,
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationRECOVERING FROM SHAMOON
Executive Summary Fidelis Threat Advisory #1007 RECOVERING FROM SHAMOON November 1, 2012 Document Status: FINAL Last Revised: 2012-11-01 The Shamoon malware has received considerable coverage in the past
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationAcronis Backup & Recovery 10 Server for Linux. Installation Guide
Acronis Backup & Recovery 10 Server for Linux Installation Guide Table of contents 1 Before installation...3 1.1 Acronis Backup & Recovery 10 components... 3 1.1.1 Agent for Linux... 3 1.1.2 Management
More informationRun-Time Deep Virtual Machine Introspection & Its Applications
Run-Time Deep Virtual Machine Introspection & Its Applications Jennia Hizver Computer Science Department Stony Brook University, NY, USA Tzi-cker Chiueh Cloud Computing Center Industrial Technology Research
More informationMcAfee Web Gateway 7.4.1
Release Notes Revision B McAfee Web Gateway 7.4.1 Contents About this release New features and enhancements Resolved issues Installation instructions Known issues Find product documentation About this
More informationSystem Requirements - Table of Contents
Page 1 of 12 System Requirements - Table of Contents CommNet Server CommNet Agent CommNet Browser CommNet Browser as a Stand-Alone Application CommNet Browser as a Remote Web-Based Application CommNet
More informationDigital Forensics with Open Source Tools
Digital Forensics with Open Source Tools Cory Altheide Harlan Carvey Technical Editor Ray Davidson AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO
More informationSysPatrol - Server Security Monitor
SysPatrol Server Security Monitor User Manual Version 2.2 Sep 2013 www.flexense.com www.syspatrol.com 1 Product Overview SysPatrol is a server security monitoring solution allowing one to monitor one or
More informationThis document presents the new features available in ngklast release 4.4 and KServer 4.2.
This document presents the new features available in ngklast release 4.4 and KServer 4.2. 1) KLAST search engine optimization ngklast comes with an updated release of the KLAST sequence comparison tool.
More informationDeep Discovery. Technical details
Deep Discovery Technical details Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior
More informationStratusphere. Architecture Overview
Stratusphere Architecture Overview Introduction This guide has been authored by experts at Liquidware Labs in order to provide an architecture overview of Liquidware Labs Stratusphere product, the leading
More informationOperating Systems and Networks
recap Operating Systems and Networks How OS manages multiple tasks Virtual memory Brief Linux demo Lecture 04: Introduction to OS-part 3 Behzad Bordbar 47 48 Contents Dual mode API to wrap system calls
More informationEnCase Endpoint Investigator Fundamentals 5/25/2016
EnCase Endpoint Investigator Fundamentals Guidance Software 1 About Us Tony Balzanto Tony Balzanto is an instructor in the Orlando, FL office of Guidance Software s Professional Development and Training
More informationReview from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture
Review from last time CS 537 Lecture 3 OS Structure What HW structures are used by the OS? What is a system call? Michael Swift Remzi Arpaci-Dussea, Michael Swift 1 Remzi Arpaci-Dussea, Michael Swift 2
More informationAdvanced Endpoint Protection Overview
Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More information