Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics

More documents

Recommendations

Info

Volatile Data Analysis (cont.) Restore Points (Shadow Copy Volumes) • Record major changes to the system or chronological • Can be parsed to show when things took place − Malware was not present yesterday, but is there today − System was “updated” – something was installed − Registry changes are included (THIS IS HUGE) • Can be parsed with RipXP System Information • Operating System • Patch level • Auditing policies • Password policies Copyright Trustwave 2009 Confidential
Volatile Data Analysis (cont.) RAM • Another GOLD MINE • Encryption keys • Running processes − Open handles − Mutexes • Garble • Least frequency of occurrence − Dlls being used − Network connections − Binaries have to be unpacked to run − Strings • Usernames and passwords • Regexes • Luhn checks Copyright Trustwave 2009 Confidential
Page 1 and 2: Sniper Forensics “One Shot, One K
Page 3 and 4: Who Am I? • Senior Security Consu
Page 5 and 6: Shotgun Forensics The process of ta
Page 7 and 8: Three Round Shot Group Infiltration
Page 9 and 10: What Others are Saying (cont.) “Y
Page 11 and 12: Locard’s Exchange Principle • E
Page 13 and 14: The Alexiou Principle Documented by
Page 15 and 16: Create an Investigation Plan This i
Page 17 and 18: Volatile Data Gathering Critical to
Page 19: Volatile Data Analysis (cont.) Even
Page 23 and 24: Timeline Analysis • Can help prov
Page 25 and 26: Case Studies All Your Registry Entr
Page 27 and 28: All Your Registry Entries and Belon
Page 29 and 30: Don’t Count Your Keylogger B4 It
Page 31 and 32: Bring it all together (cont.) What
Page 33: Questions? cepogue@trustwave.com

Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics

Create successful ePaper yourself

Delete template?

Save as template?