DFIR SANS360 Talks

More documents

Recommendations

Info

Path-Based Analysis • Lets you instantly determine if a particular registry path exists in any number of hives • Great for detecting the presence of malware samples, rogue software, specific USB devices… • If you were given 20 computers and wanted to know which of them had a particular service installed or used a specific wireless network, how would you do it?
Searching – The Best Part!! • No other registry tool lets you intelligently search the registry • Search as many hives as you want at once • A single term or many terms • You can filter by: – Keys, Names, and/or Values – Wildcard or full search – Last write time of keys (start, end, in between)
Page 7 and 8: Registry Decoder • Originally fun
Page 9 and 10: Registry Decoder Offline • Used t
Page 11 and 12: Browsing • Similar to Access Data
Page 13: Plugins • Full plugin system, eac
Page 20 and 21: Reporting • We wanted to be able
Page 23 and 24: TRIAGE Standardizing Remote IR Coll
Page 25 and 26: Our Problem • Slow Response Time
Page 27 and 28: Our Actions - After Triage • Auto
Page 29 and 30: What does it do? • Runs Sysintern
Page 31 and 32: Quick Hits • Start Up Info • AV
Page 33 and 34: CASE STUDY
Page 35 and 36: Triage Received - AV Logs analyzed
Page 37 and 38: Wait what was that?? • Yes we hav
Page 39 and 40: What hit me? • Gammima.AG • Gam
Page 41 and 42: Triage Timings • 5hr 25 Minutes
Page 43: Who Created Triage?
Page 46 and 47: "All our knowledge is the offspring
Page 48: The REALITY of the depiction DOESN'
Page 55 and 56: By the time a person reaches physic
Page 57 and 58: The Midline moves down towards the
Page 59 and 60: Growth & Development of the Face 7
Page 61 and 62: Before you reach for your slide rul
Page 63 and 64: 5 Step Age Estimation Process 1. Ro
Page 65 and 66:
3 Years Old
Page 67 and 68:
9 Years Old
Page 69 and 70:
15 Years Old
Page 71 and 72:
25 Years Old
Page 73:
"All our knowledge is the offspring
Page 76 and 77:
SANS360 Registry, UserAssist, and V
Page 78 and 79:
VSCs Does old data every completely
Page 80 and 81:
UserAssist Info from the Registry N
Page 82:
Questions? Harlan Carvey harlanc@ap
Page 85 and 86:
Kitteh Porn!
Page 87 and 88:
Emperor Rob Let's Meet Our Suspects
Page 89 and 90:
Find the Common Images $ awk '{prin
Page 91 and 92:
Eliminate "Known Goods" $ awk '{pri
Page 93 and 94:
Lee-Ah and Emperor Rob? $ awk '{pri
Page 95 and 96:
Thanks J-Michael!
Page 98 and 99:
Automating Your Timeline Analysis i
Page 100 and 101:
Background • • What about YARA?
Page 102 and 103:
Log2timeline and YARA Together At L
Page 104 and 105:
Example Rule private rule MFT_Hit {
Page 106:
Summary • YARA rules can be used
Page 109 and 110:
Overview What Are Fraudulent Docum
Page 111 and 112:
What Are Fraudulent Documents Fraud
Page 113 and 114:
Types of Fraud - Purchasing Indict
Page 115 and 116:
Types of Fraud - Bid Rigging FBI a
Page 117 and 118:
Word Documents Metadata Metadata i
Page 119 and 120:
Word Documents Metadata Creating a
Page 121 and 122:
Word Documents Metadata Printing D
Page 123 and 124:
Red Flag #1 Company’s name should
Page 125 and 126:
Red Flag #3 Creation dates shouldn
Page 127 and 128:
Red Flag #5 No Metadata when metada
Page 129 and 130:
Detection Process In Action Suspec
Page 131 and 132:
Collect Documents Mixture of bids,
Page 133 and 134:
Extract Metadata Run SquirrelGrippe
Page 135 and 136:
Analyze Metadata Suspicious Documen
Page 137:
What’s Next More Information Pap
Page 141:
Pay no attention to the data behind
Page 153:
Girl, Unallocated’s Open Source T
Page 157:
Helmet of Problem Solving Dongle of
Page 160 and 161:
Context LYNXeon is our tool for ne
Page 162 and 163:
The Challenge We get our first qua
Page 164 and 165:
Bad Host! Bad! No Cookie! Easy to
Page 166 and 167:
What are we doing again? Initial c
Page 168 and 169:
Caveats Google, Akamai and Faceboo
Page 170:
Questions & Discussion For future q
Page 173 and 174:
• Registry values used to track a
Page 175 and 176:
For Windows XP: C:\Documents and Se
Page 177 and 178:
Live Registry: HK_USERS\(USERID)\Lo
Page 179 and 180:
\Software\Microsoft\Windows\Shell\B
Page 181 and 182:
TZWorks Windows Shellbag Parser (ht
Page 183 and 184:
C:\>sbag usrclass.dat -csv > usrcla
Page 185 and 186:
Unauthorized Access of Other Employ
Page 188 and 189:
#SANS360 DFIR Summit 2012! Hi.. My
Page 190 and 191:
Log2timeline! Reviewing log2timelin
Page 193 and 194:
Now let’s try this on a real comp
Page 195 and 196:
Log2timeline does a GREAT job of ma
Page 197 and 198:
Data diagram of PoC Solution: Featu
Page 201 and 202:
To do: • Find time (egoings@kpmg.
show all

DFIR SANS360 Talks

Create successful ePaper yourself

Delete template?

Save as template?