Sniper Forensics V2.0 Target Acquisition - SANS - SANS Institute

More documents

Recommendations

Info

Trigger Squeeze Convert evt logs to txt (this is optional at this point) I use Event Log Explorer or DUMPEL http://www.eventlogxp.com/ http://download.microsoft.com/download/win2000platform/ WebPacks/1.00.0.1/NT5/EN-US/Dumpel.exe (http://download.microsoft.com/download/win2000platfor m/webpacks/1.00.0.1/nt5/en-us/dumpel.exe) Copyright Trustwave 2010 Confidential
Trigger Squeeze Rip the $MFT I use Harlan PARSEMFT.pl http://code.google.com/p/winforensicaanalysis/downloads/detail?na me=mft.pl Look at the $Standard_Information and $File_Name attributes The system and user can interact with the $S_I attribute The Kernel is the ONLY thing that interacts with the $F_N attribute Anti-<strong>Forensics</strong> WILL NOT affect the $F_N attribute Copyright Trustwave 2010 Confidential
Page 1 and 2: Sniper Forensics V2.0 Target Acquis
Page 3 and 4: Thank You Dan Christensen! Copyrigh
Page 5 and 6: TheDigitalStandard.Blogspot.com Cop
Page 7 and 8: The Evolution of: Sniper Forensics
Page 9 and 10: Sniper Forensics V3.0: Black Ops U
Page 11 and 12: - Jibran Ilyas - Senior Security Co
Page 13 and 14: and slaps him right in the face! He
Page 15 and 16: Target Acquisition What do I d
Page 17 and 18: Target Acquisition How do I snipe i
Page 19 and 20: Target Acquisition FTK Imager v3.00
Page 21 and 22: Target Acquisition Rinse, Repeat, R
Page 23 and 24: Trigger Squeeze RegRipper, or TSK)
Page 25: Trigger Squeeze Super Timelines (Th
Page 29 and 30: Rounds Down Range Know how to stack
Page 31 and 32: Analysis String search in timeline
Page 33 and 34: Analysis Analyzing RAM dumps is a g
Page 35 and 36: Analysis Copyright Trustwave 2010
Page 37 and 38: Copyright Trustwave 2010 Confidenti
Page 39 and 40: Copyright Trustwave 2010 Confidenti
Page 41 and 42: While the $S_I can be accessed by b
Page 43 and 44: All Your Config Files are Belong to
Page 49 and 50: Seriously, at Least Try! Copyright
Page 51 and 52: Seriously, at Least Try! TypedURLs
Page 53 and 54: Seriously, at Least Try! Not shown:
Page 55 and 56: Conclusion Take good notes Good c

Sniper Forensics V2.0 Target Acquisition - SANS - SANS Institute

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?