Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics

More documents

Recommendations

Info

Sniper Forensics The process of taking a targeted, deliberate approach to forensic investigations: • Create an investigation plan • Apply sound logic − Locard − Occam − Alexiou • Extract what needs to be extracted, nothing more • Allow the data to provide the answers • Report on what was done • Answer the questions Copyright Trustwave 2009 Confidential
Three Round Shot Group Infiltration • How did the bad guy(s) get onto the system(s) Aggregation • What did they do − What did they steal Exfiltration • How did they get off the system − How did they get stolen data off the system * This is commonly referred to as the “Breach Triad” – term credited to Colin Sheppard, Incident Response Director, SpiderLabs. Copyright Trustwave 2009 Confidential
Page 1 and 2: Sniper Forensics “One Shot, One K
Page 3 and 4: Who Am I? • Senior Security Consu
Page 5: Shotgun Forensics The process of ta
Page 9 and 10: What Others are Saying (cont.) “Y
Page 11 and 12: Locard’s Exchange Principle • E
Page 13 and 14: The Alexiou Principle Documented by
Page 15 and 16: Create an Investigation Plan This i
Page 17 and 18: Volatile Data Gathering Critical to
Page 19 and 20: Volatile Data Analysis (cont.) Even
Page 21 and 22: Volatile Data Analysis (cont.) RAM
Page 23 and 24: Timeline Analysis • Can help prov
Page 25 and 26: Case Studies All Your Registry Entr
Page 27 and 28: All Your Registry Entries and Belon
Page 29 and 30: Don’t Count Your Keylogger B4 It
Page 31 and 32: Bring it all together (cont.) What
Page 33: Questions? cepogue@trustwave.com

Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?