An Ontology for Digital Forensics in IT Security Incidents - OPUS

More documents

Recommendations

Info

28 CHAPTER 4. FORENSICS of the sockets command is displayed in listing 4.5. Last but not least listing 4.6 demonstrates the output of printkey from the registry category. Volatile Systems Volatility Framework 2.1 Offset (P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- -------------------- -------------------- 0 x018312a0 ctfmon . exe 1168 408 0 x0ee7c000 2012 -09 -20 10:34:18 0 x01898a20 explorer . exe 408 364 0 x0b23e000 2012 -09 -20 10:34:13 0 x0189eda0 wscntfy . exe 316 976 0 x0b074000 2012 -09 -20 10:34:13 0 x018b3880 alg . exe 2032 636 0 x0ab8e000 2012 -09 -20 10:34:12 0 x01934148 spoolsv . exe 1364 636 0 x08b8f000 2012 -09 -20 10:34:00 0 x0193e2c8 wpabaln . exe 1044 592 0 x0d8f1000 2012 -09 -20 10:36:13 0 x01962c78 svchost . exe 1088 636 0 x06a52000 2012 -09 -20 10:33:59 0 x0196a8b0 svchost . exe 1036 636 0 x067e8000 2012 -09 -20 10:33:59 0 x01972408 svchost . exe 976 636 0 x0658a000 2012 -09 -20 10:33:59 0 x0197fbd0 svchost . exe 884 636 0 x06334000 2012 -09 -20 10:33:59 0 x019a1a70 svchost . exe 804 636 0 x05d50000 2012 -09 -20 10:33:59 0 x019bc3f0 lsass . exe 648 592 0 x052dc000 2012 -09 -20 10:33:58 0 x019bfc50 services . exe 636 592 0 x0526e000 2012 -09 -20 10:33:58 0 x019d5788 csrss . exe 568 504 0 x04520000 2012 -09 -20 10:33:58 0 x019e87c0 winlogon . exe 592 504 0 x048a6000 2012 -09 -20 10:33:58 0 x01a2c990 smss . exe 504 4 0 x03404000 2012 -09 -20 10:33:58 0 x01bcca00 System 4 0 0 x00039000 Listing 4.4: Sample output of psscan Volatile Systems Volatility Framework 2.1 Offset (V) PID Port Proto Protocol Address Create Time ---------- ------ ------ ------ --------------- --------------- ----------- 0 x814f76b8 648 500 17 UDP 0.0.0.0 2012 -09 -20 10:34:09 0 x816353b8 4 445 6 TCP 0.0.0.0 2012 -09 -20 10:33:58 0 x8157a560 884 135 6 TCP 0.0.0.0 2012 -09 -20 10:33:59 0 x814abb00 2032 1025 6 TCP 127.0.0.1 2012 -09 -20 10:34:13 0 x814c6708 976 123 17 UDP 127.0.0.1 2012 -09 -20 10:34:28 0 x814f5e98 648 0 255 Reserved 0.0.0.0 2012 -09 -20 10:34:09 0 x8152a008 1088 1900 17 UDP 127.0.0.1 2012 -09 -20 10:34:28 0 x814f6710 648 4500 17 UDP 0.0.0.0 2012 -09 -20 10:34:09 0 x816355f0 4 445 17 UDP 0.0.0.0 2012 -09 -20 10:33:58 Listing 4.5: Sample output of sockets Volatile Systems Volatility Framework 2.1 Legend : (S) = Stable (V) = Volatile ---------------------------- Registry : \ Device \ HarddiskVolume1 \ Dokumente und Einstellungen \ LocalService \ NTUSER . DAT Key name : Run (S) Last updated : 2012 -09 -20 10:31:15 Subkeys : Values : REG_SZ CTFMON . EXE : (S) C :\ WINDOWS \ system32 \ CTFMON . EXE Listing 4.6: Sample output of printkey 4.3.3 reglookup The further source for registry information are the hive les on hard disk. reglookup[Sentinel Chicken Networks, 2010] is used to extract the registry information from the registry les on the hard disk. The cropped output of reglookup that corresponds to the one of printkey is shown in listing 4.7. PATH , TYPE , VALUE , MTIME , OWNER , GROUP , SACL , DACL , CLASS / Software / Microsoft / Windows / CurrentVersion / Run / CTFMON .EXE ,SZ ,C :\ WINDOWS \ system32 \ CTFMON .EXE ,,,,, Listing 4.7: Sample output of reglookup
4.3. FORENSIC TOOLS 29 4.3.4 bkhive + samdump2 The two tools bkhive[Tissieres and Oechslin, 2013] and samdump2 [Tissieres and Oechslin, 2013] are used to extract information about the user. The output of bkhive is given to samdump2 and the result is shown in listing 4.8. Administrator :500:6 a98eb0fb88a449cbe6fabfd825bca61 : a4141712f19e9dd5adf16919bb38a95c ::: Gast :501: aad3b435b51404eeaad3b435b51404ee :31 d6cfe0d16ae931b73c59d7e0c089c0 ::: Hilfeassistent :1000:50 a75aa3555c00d0ba0322f551cc115a : afacea076c4a025a3022c614793f9e46 ::: SUPPORT_388945a0 :1002: aad3b435b51404eeaad3b435b51404ee : a484598dba956d06f2a8fc23c14d2c92 ::: Benutzer1 :1003: d7246e4feea4219d179b4d5d6690bdf3 :9068 eeaf33cffd1d86ac515e518588a0 ::: Listing 4.8: Sample output of samdump2
Page 1: Diplomarbeit An Ontology for Digita
Page 4 and 5: Acknowledgement I would like to tha
Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
Page 8 and 9: 6 CONTENTS
Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
Page 32 and 33: 30 CHAPTER 4. FORENSICS
Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
Page 52 and 53: 50 CHAPTER 6. FORENSIC ONTOLOGY 6.9
Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is
Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST
Page 76 and 77: 74 APPENDIX A. EXTRACTION TOOL LIST
Page 78 and 79: 76 APPENDIX B. FORENSIC TOOLS OUTPU
Page 80 and 81:
78 APPENDIX C. SCREENSHOTS Figure C
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
84 APPENDIX C. SCREENSHOTS
Page 88 and 89:
86 BIBLIOGRAPHY [Carrier, 2012c] Ca
Page 90 and 91:
88 BIBLIOGRAPHY [Microsoft, 2010] M
Page 92:
90 BIBLIOGRAPHY [W3C, 2004] W3C (20
show all

An Ontology for Digital Forensics in IT Security Incidents - OPUS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?