James Zinn - User Panel - SANS Computer Forensics

computer.forensics.sans.org

James Zinn - User Panel - SANS Computer Forensics

1

User Panel

SANS WhatWorks in Forensics and IR Summit

July 7, 2009

© Huron Consulting Group Inc. All rights reserved. Neither Huron Consulting Group Inc. nor any of its affiliates is a CPA firm.


2

Background

Issue

• Employee resigned and

suspected of going to

competitor

• Another employee

reported being solicited to

follow suit

• Do we have a problem?

Technical

• Laptop-centric user base

(Intel with WinXP)

• Full-disk encryption

(WinMagic)

• Microsoft Exchange e-mail

Users are local

administrators


3

So what now…

Dead system forensics

–Live imaging (FTK Imager)

–Analysis database (MS SQL

Server)

• File system metadata

(EnCase)

• Link file decoding (EnCase)

• INFO2 file decoding

(EnCase)

• Removable devices

(RegRipper)

• Internet History

(NetAnalysis)

–TIF analysis (EnCase, FTK)

–UC analysis (DataLifter)

Live system forensics

–Remote connection (F-

Response)

–Triage analysis (Perl)

• Removable devices

• File system metadata

–Live imaging (EnCase)

–E-mail analysis (FTK, nuix)

–Added to analysis database

• Reporting

• Correlation

• Reconstruction

• Timeline

More magazines by this user
Similar magazines