Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics
Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics
Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Volatile Data Analysis (cont.)<br />
Restore Points (Shadow Copy Volumes)<br />
• Record major changes to the system or chronological<br />
• Can be parsed to show when things took place<br />
− Malware was not present yesterday, but is there today<br />
− System was “updated” – something was installed<br />
− Registry changes are included (THIS IS HUGE)<br />
• Can be parsed with RipXP<br />
System Information<br />
• Operating System<br />
• Patch level<br />
• Auditing policies<br />
• Password policies<br />
Copyright Trustwave 2009<br />
Confidential