Carve for Record not Files - SANS Computer Forensics

More documents

Recommendations

Info

14 Web Log Success BotNet Server − /var/log/apache access_log Carving Results − Over 12 million © Copyright 2012 Included Check-ins from compromised hosts xx.xx.xxx.xxx - - [26/Jun/2010:18:17:05 -0400] "GET /spy/gate.php?guid=user1!HOST1!A889EB32&ver=10200&stat=ONLINE&c pu=0&ccrc=A1CC72AF&md5=1234a5217a92a88771b0a7982c1bb3d8 HTTP/1.1" 200 51 xxx.xxx.xxx.xx - - [26/Jun/2010:18:17:05 -0400] "GET /spy/gate.php?guid=user2!HOST2!B47CD21D&ver=10200&stat=ONLINE&c pu=1&ccrc=B2F96423&md5=56787689e35c396f16e4d035f56fb391 HTTP/1.1" 200 51
15 Shell History Log BASH HISTORY ZSHELL HISTORY Plain text series of commands Only Identifier is EOL © Copyright 2012 − : 1338863410:0;ls − : 1338863413:0;who − : 1338863419:1;less mount_dd − : 1338863423:0;exit grep ":\ [0-9]\{10\}:[0-9];.*" .history
Page 1 and 2: Jeff Hamm hammjd@yahoo.com jeff.ham
Page 3 and 4: 3 Important note All information is
Page 5 and 6: Introductions 5 JEFF HAMM Senior C
Page 7 and 8: 7 Traditional File Carving Tools an
Page 9 and 10: 9 Definitions © Copyright 2012
Page 11 and 12: 11 Definitions 66.23.15.30 - - [14/
Page 13: 13 Web Log 66.23.15.30 - - [14/Aug/
Page 17 and 18: 17 Shell History Log Success 02/25/
Page 19 and 20: 19 Last Log WTMP l l a32 a4 a32 a2
Page 21 and 22: 21 Last Log Success 78 Cent OS Ser
Page 23 and 24: 23 Windows Event Log Header − Lf
Page 25 and 26: 25 Windows Event Log © Copyright 2
Page 27 and 28: 27 Windows Event Log Tool Python
Page 29 and 30: 29 Historical IP Address WT_FPC TWI
Page 31 and 32: 31 Historical IP Address Visit Coun
Page 33 and 34: 33 Additional Thoughts SQL Index.
Page 35 and 36: 35 Intelligent Response Find indic
Page 37 and 38: 37 © Copyright 2012 Q&A
Page 39: Jeff Hamm hammjd@yahoo.com jeff.ham

Carve for Record not Files - SANS Computer Forensics

Create successful ePaper yourself

Delete template?

Save as template?