Sniper Forensics V2.0 Target Acquisition - SANS - SANS Institute

More documents

Recommendations

Info

All Your Config Files are Belong to Me! rpcsrv.exe C:\cases\timeline\> strings boh_timeline.csv | grep -i "rpcsrv.exe" Mon Feb 15 2010 07:10:34,128000,...b,r/rrwxrwxrwx,0,0,10140-128- 3,'C:/'/WINDOWS/system32/rpcsrv.exe Thu Feb 18 2010 02:01:04,128000,m...,r/rrwxrwxrwx,0,0,10140-128- 3,'C:/'/WINDOWS/system32/rpcsrv.exe Wed Oct 06 2010 13:02:35,128000,..c.,r/rrwxrwxrwx,0,0,10140-128- 3,'C:/'/WINDOWS/system32/rpcsrv.exe Wed Oct 06 2010 18:15:51,128000,.a..,r/rrwxrwxrwx,0,0,10140-128- 3,'C:/'/WINDOWS/system32/rpcsrv.exe Copyright Trustwave 2010 Confidential
All Your Config Files are Belong to Me! C:\cases\timeline\> strings boh_timeline.csv | grep -i "bios12.rom" Thu Feb 18 2010 02:04:01,21278,...b,r/rrwxrwxrwx,0,0,5475-128- 3,'C:/'/WINDOWS/system32/bios12.rom Fri Sep 24 2010 19:06:36,21278,m.c.,r/rrwxrwxrwx,0,0,5475-128- 3,'C:/'/WINDOWS/system32/bios12.rom Wed Oct 06 2010 20:52:10,21278,.a..,r/rrwxrwxrwx,0,0,5475-128- 3,'C:/'/WINDOWS/system32/bios12.rom Copyright Trustwave 2010 Confidential
Page 1 and 2: Sniper Forensics V2.0 Target Acquis
Page 3 and 4: Thank You Dan Christensen! Copyrigh
Page 5 and 6: TheDigitalStandard.Blogspot.com Cop
Page 7 and 8: The Evolution of: Sniper Forensics
Page 9 and 10: Sniper Forensics V3.0: Black Ops U
Page 11 and 12: - Jibran Ilyas - Senior Security Co
Page 13 and 14: and slaps him right in the face! He
Page 15 and 16: Target Acquisition What do I d
Page 17 and 18: Target Acquisition How do I snipe i
Page 19 and 20: Target Acquisition FTK Imager v3.00
Page 21 and 22: Target Acquisition Rinse, Repeat, R
Page 23 and 24: Trigger Squeeze RegRipper, or TSK)
Page 25 and 26: Trigger Squeeze Super Timelines (Th
Page 27 and 28: Trigger Squeeze Rip the $MFT I use
Page 29 and 30: Rounds Down Range Know how to stack
Page 31 and 32: Analysis String search in timeline
Page 33 and 34: Analysis Analyzing RAM dumps is a g
Page 35 and 36: Analysis Copyright Trustwave 2010
Page 37 and 38: Copyright Trustwave 2010 Confidenti
Page 39 and 40: Copyright Trustwave 2010 Confidenti
Page 41 and 42: While the $S_I can be accessed by b
Page 43: All Your Config Files are Belong to
Page 47 and 48: All Your Config Files are Belong to
Page 49 and 50: Seriously, at Least Try! Copyright
Page 51 and 52: Seriously, at Least Try! TypedURLs
Page 53 and 54: Seriously, at Least Try! Not shown:
Page 55 and 56: Conclusion Take good notes Good c

Sniper Forensics V2.0 Target Acquisition - SANS - SANS Institute

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?