Digital Forensics and Incident Response
Post on 20-May-2015
3616 Views
Preview:
DESCRIPTION
Transcript
Preparation
Identification
and Analysis
Containment
Eradication
Recovery
Lessons
learnt
Elevated cmd and WMIC
tasklist /v /fo csv
tasklist /svc /fo csv
netstat -ab
dir /a/s /tc c:\
wmic startup list full /format:csv
wmic process list full /format:csv
Memory image
Hibernation file
Page file
Registry Hives
Event Logs
$MFT
Contents of Prefetch folder
File listing with MD5 hashes
Download SANS SIFT Workstation 2.14 from http://computer-forensics.sans.org/community/downloads
(SANS SIFT Workstation 3 to be released soon)
VMware Appliance
Cross compatibility between Linux and Windows
A portable lab workstation you can use for your investigations
Forensic tools preconfigured
Option to install stand-alone via (.iso) or use via VMware Player/Workstation
You have to learn it like you do any tool
Powerful command line capability
It is a tool to accomplish deep forensic analysis
Memory Analysis
File System Analysis
Timeline Analysis
And many more…..
Login "sansforensics"
Password "forensics"
$ sudo su
Use to elevate privileges to root while mounting disk images.
File System Support
• Windows (MSDOS, FAT, VFAT, NTFS)
• MAC (HFS)
• Solaris (UFS)
• Linux (EXT2/3)
Evidence Image Support
• Expert Witness (E01)
• RAW (dd)
• Advanced Forensic Format (AFF)
• Source files for Autopsy, The Sleuth kit
and other tools /usr/local/src
• Location of the forensic pre-compiled
binaries /usr/local/bin
• Location of the images that were seized
from your compromised system /cases
• Location of the mount points for the file
system images /mnt
•Automated Registry Analysis RegRipper
•Registry Analyzer YARU
•Recover deleted registry keys deleted.pl
•Parser for metadata exiftool
• .pst mail examination tool Libpff
Elevate your privileges
Change directories to /cases/<case directory>
Mount .E01 image files in the /mnt/ewf directory
$ Mount_ewf.py <****.E01> /mnt/ewf/
Mount the raw image found in the /mnt/ewf directory on the mnt/windows_mount/ directory
$ Mount –o ro,loop,show_sys_files,streams_interface=windows <image evidence directory> /mnt/windows_mount
1. Identify Rouge processes
2. Analyze process DLLs and handles
3. Review Network Artifacts
4. Look for evidence of code injection
5. Check for signs of rootkit
6. Dump suspicious processes and drivers
Vol.py –f <image> <plugin> --profile=<profile>
Export VOLATILITY_LOCATION=file://<filepath>
Export VOLATILITY_PROFILE=<profile>
Vol.py –f <image format 1> imagecopy –o <imageformat1.img>
cmdscan, consoles, connections, connscan, netscan,
https://code.google.com/p/volatility/wiki/
https://http://computer-forensics.sans.org/community
SANS live classes and webcasts
File System Forensic Analysis by Brian Carrier
top related