Download Mastering Windows Network Forensics and Investigation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
Document related concepts

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Computer network wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Airborne Networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Transcript 
Mastering Windows Network
Forensics and Investigation
Chapter 6: Live Analysis
Techniques
Chapter Topics:
• Prepare a toolkit to acquire RAM
from a live system
• Identify the pros and cons of
performing a live analysis
Finding Evidence in Memory
• Hackers attempt to hide evidence of
their activities
• The traditional focus of of LE
forensics is the hard drive of the
victim
• Hackers have designed their toolsets
around this philosophy by using code
that will only execute in RAM
– DLL injections
– Hooks
IR Considerations
• Pulling the plug will remove invaluable
data from RAM
• Keep interaction with the target to a
bare minimum
• Bring your own trusted tools!
• Think before you act…then think
again
• Document everything
Creating a Live-Analysis
Toolkit
• Think about the reason for performing every
action
• Use only trusted and validated analysis tools
• Request intimate details about target system
– OS?
– Architecture? (32 vs 64 bit?)
• Assume you only have but one shot to
capture volatile data correctly
RAM Acquisition Tools
• DumpIt
– Creates binary dump
– Supports 32/64-bit
– CLI
• WinEN
– Creates EnCase evidence file
– Supports 32/64-bit
– CLI
• FTK Imager Lite
– Creates binary dump
– Supports 32/64-bit
– GUI-based
RAM Analysis Tools
• Volatility 2.0
–
–
–
–
Open source RAM analysis tool
Active network connections
Running processes
Loaded DLLs
• Memoryze
• Consider mounted encrypted volumes
Monitoring Communications
• Network Sniffer
–
–
–
Analyze which IP’s are engaged with victim systems
Which ports are being used
Network packet payload
Monitoring Communications
• Network Port Scanner
– Analyze which ports are open on the network
– Determine what services are legitimate
• Open Source Tools
– Nmap
Related documents
Lesson Plan Software
Lesson Plan Software
computer main parts - Carolina Bolaños Villada
computer main parts - Carolina Bolaños Villada
Introductory PowerPoint
Introductory PowerPoint
1. Introduction about operating system. 2. What is 32 bit
1. Introduction about operating system. 2. What is 32 bit
Operating systems
Operating systems
System Buses - Binus Repository
System Buses - Binus Repository
Answer Sheet 1 - Can You Compute?
Answer Sheet 1 - Can You Compute?
IST 291 – Chapter 1
IST 291 – Chapter 1
Computer Parts Notes
Computer Parts Notes
Data Foresensics
Data Foresensics
PROTEIN MEMORY
PROTEIN MEMORY
Name: Dana AlMadi ID: 201200064 Section: 201 Difference
Name: Dana AlMadi ID: 201200064 Section: 201 Difference
You are asked to interface a 32 KB RAM to an 8086
You are asked to interface a 32 KB RAM to an 8086
GROUP PRODUCT REVIEWS – Product Review Request
GROUP PRODUCT REVIEWS – Product Review Request
Component 4/Unit 1abc-1 Audio Transcript Welcome to Unit 1 Basic
Component 4/Unit 1abc-1 Audio Transcript Welcome to Unit 1 Basic
class-ix-science-sa-i-2015-16
class-ix-science-sa-i-2015-16
Final Report
Final Report
AMS Haden MOSH Presentation Draft
AMS Haden MOSH Presentation Draft
400 Ton Wheel Press
400 Ton Wheel Press
Bentley`s RAM Structural Systems V8i Speeds
Bentley`s RAM Structural Systems V8i Speeds
Chapter 2 2007
Chapter 2 2007
Breeding Scenario Example - Intermediate Level Ram Selection
Breeding Scenario Example - Intermediate Level Ram Selection