Digital Forensics Foundations: Hands-On Workshop (264680121)
59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121) http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 1/59 Digital Forensics Workshop *Excerpts from SANS FOR408, FOR508 & FOR526 Alissa Torres SANS Institute @sibertor [email protected]
Transcript of Digital Forensics Foundations: Hands-On Workshop (264680121)
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 1/59
Digital Forensics Workshop
*Excerpts from SANS FOR408, FOR508 & FOR526
Alissa TorresSANS Institute
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 2/59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 3/59
!"#$%&"' )*+,-.
0"1,-.23",% "4 5067
8 5.2. 9"::+;23",
8 <2.*+% "4 6,;3-+,2 7+%'",%+
8
=":.23:32> "4 91##+,2 <>%2+? <2.2+
03:+ <>%2+? ),.:>%3%
8
@A3-+,;+ "4 03:+ );;+%%BC,"D:+-*+B@E+;123",8
6-+,234>3,* ),23F0"#+,%3;% G+;&,3H1+%
I+?"#> ),.:>%3%8
J#";+%% @,1?+#.23",
8
K+2D"#$ 9",,+;23",%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 4/59
6,2#"-1;23", 2" 53*32.: 0"#+,%3;%
•
“Digital forensics is the collection,examination, and reporting of digital
evidence.” - Eric Huber
• Wide Application for Forensics Skills
o Employee Investigations/Acceptable Use Policy
Violations
o
Criminal Investigationso Network Intrusions/Incident Investigations
o Data Recovery Service
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 5/59
!&+#+ 3% 2&+ +A3-+,;+L
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 6/59
6,A+%23*.23A+B62+#.23A+J#";+%%
• Best Method
o Keyword
o
Graphic reviewo Internet Analysis
• Best Tool
•
Analysis of Search Results
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 7/59
@A3-+,;+ );H13%323",
•
Hard Drive Image
• Physical Memory Capture
•
Volatile Data Acquisition• Network Traffic
• Witness Device Logs (VPN
Concentrators, Web Server Logs,Switch, Router, Firewall Logs)
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 8/59
0"#+,%3;% =";.M1:.#>
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 9/59
0"#+,%3;% =";.M1:.#>
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 10/59
5++' 53A+ 0"#+,%3;% A% <;.,,3,*
Deep Dive Forensics
• K"2 .;;"?':3%&+- ", +A+#>%>%2+?
• N+:'% .,%D+# $+> H1+%23",% .M"12 M#+.;&
•
C+> 2" %1;;+%%41: #+?+-3.23",
• 9"::+;2% I.:D.#+o <+,-% 2" 7@ G+.?
• 9"::+;2% K+2D"#$ <3*,.21#+%o <+,-% 2" K+2D"#$ G+.?
•
O13;$ G1#, )#"1,- PQ -.>%R• 5++' 53A+ 4"#+,%3;%
o
I+?"#> ),.:>%3% P!"" '#";+%%+%R
o G3?+:3,+ ),.:>%3% P!"" .;23A32>R
o 03:+ <>%2+? ),.:>%3% P!"" S:+%>%2+?.,.:>%3%R
Enterprise Triage/Scanning
• G"1;& .,- *" %;., 4"#;"?'#"?3%+%
• 6-+,234> ,+D %>%2+?%
;"?'#"?3%+-• I+.,2 2" M+ .M:+ 2" %;., TUVVV% "4
%>%2+?% H13;$:>
• W""$% 4"# $+> %3*,% "4 .X.;$+#.;23A32> A3. %+;1#32> 3,2+::3*+,;+
• @,2+#'#3%+ <;.,,3,*o I+?"#> ),.:>%3% P$%&'()' '#";+%%+%R
o G3?+:3,+ ),.:>%3% P$%&'()' .;23A32>R
o
03:+ <>%2+? ),.:>%3% P$%&'()' S:+%>%2+? .,.:>%3%R
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 11/59
<3EF%2+' 67 J#";+%% .,-0"#+,%3;%
J#+'.#.23",
6-+,23S;.23",.,- <;"'3,*
9",2.3,?+,2 B6,2+::3*+,;+Y.2&+#3,*
@#.-3;.23", B7+?+-3.23",
7+;"A+#>
0"::"D Z' BW+%%",%
W+.#,+-
K" 6-+,23S;.23",[ K" 9",2.3,?+,2
*!"+!,&-&.&'.(/0
2!.&,!"*/3&4&0.-&.&'.(/0
-!.!5/""&'.(/0-&.&'.(/0
-!.! 67)"-&.&'.(/0
0"#+,%3;),.:>%3%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 12/59
G#3.*+ A%\ 01:: I+?"#>);H13%323",
• Memory Acquisition is becoming unwieldy withsystems having upward ranges of 64GB+ ofRAM
•
Remote Triage of a system may NOT includedumping memory, but retrieving audits/liveanalysis
• Live Audit Toolso Redline Collector/Mandiant Intelligent Response
o
EnCase Enterprise (Virtual File System Module)
o F-Response Physical Memory mounting
o CrowdStrike Falcon Host
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 13/59
6%%1+% D32& G#3.*+ PTR
•
Triage/Volatile data collection tools canalter evidence to include modifying:
o
Registry LastWrite time/datestampso Prefetch files
o Event logs
o Services
o
Stored privileged creds
Image courtesy Flickr user marliesc and used under a Creative Commons license, http://www.flickr.com/photos/marliesc/2844510188/
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 14/59
6%%1+% D32& G#3.*+ P]R
• Running collection tools can tip off theattacker or suspect
•
Remote enterprise endpoint agents areoften targeted by attackers
Image courtesy Flickr user marliesc and used under a Creative Commons license, http://www.flickr.com/photos/marliesc/2844510188/
•
Privileged domain
credentials can be stolen from target system after/
during response
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 15/59
0.%2 0"#+,%3;% B G#3.*+@E2#.;23",
8 0"#+,%3; =.:1+)#234.;2
8 5+2.3:+- 6,%3*&2 3,2" <>%2+? <2.2+I+?"#>
8 <>%+%2+? .,- Z%+# 9",S*1#.23",BJ#+4+#+,;+%7+*3%2#> &3A+% ^ M.;$1'%
8
@A3-+,;+ "4 03:+ );;+%%BC,"D:+-*+WKC S:+%
8 @A3-+,;+ "4 03:+ );;+%%BC,"D:+-*+ _1?' :3%2%
8 @A3-+,;+ "4 @E+;123",J#+4+2;&
8 <>%2+?B<+;1#32>B)'':3;.23", @A+,2%@A+,2 :"*%
8
6,323.: =+;2"# "4 6,4+;23", "# J.X+#, "4 W34+`#"D%+# 5.2. P6@U 03#+4"EU 9&#"?+R
8 I+2.-.2. P23?+%2.?'%R "4 03:+%B0":-+#% ", =":1?+I.%2+# 03:+ G.M:+ PaI0GR
8 J#+%+,;+ "4 03:+%B 03:+ <>%2+? );;+%%+%W"* S:+% .,- _"1#,.: :"*
8 )--323",.: ;"'3+%B;",2+,2% "4 ?+?"#>J.*+S:+ ^ N3M+#,.23", S:+%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 16/59
67 G+.? W34+ 9>;:+ bA+#A3+DN"%2 0"#+,%3;% B 67 P0b7cVdB
0b7eVdR8 @,2+#'#3%+ <;.,,3,*8 5++' 53A+ ),.:>%3%
K+2 0"#+,%3;% B 67
0b7ef]
8 K+2D"#$ ̀ .%+- @A+,2 9"##+:.23",g ef]
8 5++' J.;$+2 6,%'+;23", F eVQ
7@ I.:D.#+ F 0b7hTV
),.:>%3%
8 G&#+.2 6,2+::3*+,;+ 9#+.23",
I.:D.#+
0"1,- ",<>%2+?
6JBK+2D"#$5.2. 0"1,-
", <>%2+?
<2#3,*%U I.:D.#+ 5.2.UJ"#2%U 6JBK+2D"#$U 5.2.
0"1,- ", K+2D"#$J.;$+2
9.'21#+%b4 I.:D.#+G#.i;
<>%2+? G&#+.26,2+::3*+,;+
K+2D"#$G&#+.2
6,2+::3*+,;+
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 17/59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 18/59
Z%+#
9"??%
!+M `.%+-
@F?.3:@F?.3: 9.:+,-.#
9&.2 B !+M?.3:
I+?"#> )#234.;2%
9&.2 .,-
6I
03:+5"D,:".-
b'+, B <.A+I7Z @F?.3:
<$>'+N3%2"#>
6,-+E\-.2BJ:.;+%\%H:32+
5"D,:".-%\%H:32+
J#"*#.?@E+;123", Z%+#)%%3%2
W.%2=3%32+-I7Z
71,I7Z <2.#2Fj71,
IZ69.;&+
!3,f _1?'W3%2% J#+4+2;&
<+#A3;+%P@=GR
03:+ b'+,3,*B9#+.23",
7+;+,203:+%
bi;+ 7+;+,203:+%
<&+:: M.*%
W3,$03:+% _1?' W3%2% J#+4+2;& 6,-+E\-.2 S:+kBB
5+:+2+- 03:+ "#03:+
C,"D:+-*+
lJ <+.#;&F )9I7Z
!3,f <+.#;& g!"#-!&++:O1+#>
W.%2 =3%32+-I7Z
G&1?M%\- M
!3,fBdG&1?M,.3:%
7+;>;:+`3,
`#"D%+#)#234.;2%
J&>%3;.:W";.23", G3?+m",+
!3#+:+%%<<65
!3,fBd K+2D"#$N3%2"#> 9""$3+%
`#"D%+# <+.#;&G+#?%
Z<` C+>Z%.*+
C+>6-+,23S;.23",
03#%2B W.%2G3?+% Z%+#
=":1?+K.?+
5#3A+W+X+# W3,$ 03:+%
J^J @A+,2W"*
);;"1,2 Z%.*+P<)IR
W.%2W"*3,
W.%2 0.3:+-W"*3,
W.%2 J.%%D"#-9&.,*+
Y#"1'I+?M+#%&3'
);;"1,2 Z%.*+P@=GR
<1;;+%% B0.3: W"*",%
W"*",G>'+%
75JZ%.*+
);;"1,2 W"*",B)12&+,23;.23",
7"*1+ W";.:);;"1,2%
`#"D%+#Z%.*+ N3%2"#> 9""$3+% 9.;&+
<+%%3",7+%2"#+
0:.%& ̂ <1'+#9""$3+%
<1**+%2+-<32+%
I+?"#> 0#.*?+,2%"4 J#3A.2+ ̀ #"D%3,*
@A3-+,;+ "4n
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 19/59
!3,-"D% )#234.;2 ),.:>%3%
89/,.':. ;("&$ <2=>?
@(0A/+$ B,&C&.'9
D0.(E;/,&0$('$ F&'90(G:&$
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 20/59
<&"#2;12 03:+% P.lnkR
• LNK files automatically created byWindows in Recent Foldero Win7/8
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent
o WinXP
C:\Documents and Settings\<username>\Recent\
!&> 32 ?.X+#% 2" >"1# 3,A+%23*.23",k8
@A3-+,;+ "4 03:+ );;+%%
8 @A3-+,;+ "4 03:+ C,"D:+-*+
8
J#+%+,;+ "4 03:+B53#+;2"#> "4 7+?"A.M:+ 5+A3;+BK+2D"#$
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 21/59
<&"#2;12 03:+% P.lnkR
• Any non-executable opened inWindows generates a shortcut(.lnk)
o
Max = 149 Files/Folders in Recent File Target
Directory
o Parent Folder
o Directory
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 22/59
<&"#2;12 03:+% P.lnkR
• Shortcut (.lnk ) Files will point to:
o
Target File MAC times
o Volume Information (Name, Type, Vol. Serial #)
o Fixed, Removable, or Network Target
o
Original Path & Location
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 23/59
\WKC G3?+ "4 03#%2BW.%2 b'+,
5.2+BG3?+ 03:+ M> 2&.2 ,.?+ D.% S#%2 "'+,+-
8 9#+.23", 5.2+ "4 <&"#2;12 03:+
5.2+BG3?+ 03:+ M> 2&.2 ,.?+ D.% :.%2 "'+,+-
8 W.%2 I"-3S;.23", 5.2+ "4 <&"#2;12 03:+
03#%2 b'+,+- W.%2 b'+,+-
@E.?':+ b'+, 7+;+,2 53#+;2"#>
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 24/59
@E.?':+ g b'+, 7+;+,2 53#+;2"#>
via FTK Imager
@ . :+ 9:3 $ " . WKC 03:+
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 25/59
@E.?':+ g 9:3;$ ", . \WKC 03:+
@E.?3,+ 03:+ J#"'+#23+%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 26/59
J.#%3,* I+2.-.2. 3, 03:+%
• Metadata can be found in:o
Pictures
o Office Documents
o Audio Fields
o
Video Fieldso
Executable Files
• Exiftool can pull metadata from thesedata formats easily and quickly
o
Drag and drop file on exiftool or execute fromcommand line against picture.
• http://owl.phy.queensu.ca/~phil/exiftool/
• Updated Regularly – Update Often!
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 27/59
@E.?':+k I< bi;+ I+2.-.2.
•
Browse to a foldercontaining documents
• Drag and Drop on
EXIFTOOL
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 28/59
@E+#;3%+ ]@E+#;3%+ T@E.?3,3,* WKC 03:+%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 29/59
!3,-"D% )#234.;2 ),.:>%3%
89/,.':. ;("&$ <2=>?
@(0A/+$ B,&C&.'9
D0.(E;/,&0$('$ F&'90(G:&$
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 30/59
!3 - J 4 2 &
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 31/59
!3,-"D% J#+4+2;&<1'+#4+2;&
J#+4+2;& lJB=3%2.B!3,fB!3,d
8 6,;#+.%+% '+#4"#?.,;+ "4 %>%2+? M> '#+F:".-3,* ;"-+ '.*+%8 9.;&+ ?.,.*+# ?",32"#% .:: S:+% .,- -3#+;2"#3+% ?.'% 2&+? 3,2" . H%C S:+\
8 Z23:3m+- 2" %&"D .'':3;.23", +E+;123", P!&.2 .,- !&+,R
8 53%.M:+- ", %>%2+?% D32& <<5 -#3A+ "2&+#D3%+ +,.M:+- M> -+4.1:2
c:\Windows\Prefetch
8 W3?32+- 2" T]d S:+% ", lJ .,- =3%2.B!3,f8 W3?32+- 2" TV]c S:+% 4"# !3,d
• (exename)-(hash).pf
8 N.%& ;.:;1:.2+- M.%+- ", -3#+;2"#> '.2& "4 +E+;12.M:+
8
W""$1' 2.M:+ 4"# S:+F&.%& 4"1,- ", ;"1#%+ Z<`k prefetch_hashes_lookup.txt
c:\Windows\Prefetch\Layout.ini
• layout.ini S:+ ;",2.3,% "#3*3,.: '.2& ,.?+% "4 2&+ S:+% :";.2+- 3, 2&+ '#+4+2;&8 53%$ 5+4#.*?+,2+# 1%+% :.>"12\3,3 2" #+:";.2+ .:: -3#+;2"#3+% .,- S:+% 2" . ;",23*1"1% .#+. "4
2&+ -3%$
J#"*#.?@E+;123",
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 32/59
J#+4+2;& ),.:>%3% g 03#%2BW.%2 @E+;123",
2!$. 67&':.&A 03#%2 @E+;12+-
•
Date/Time .exe first executed*o
Creation Date of .pf file (~-10 seconds)
• Date/Time .exe last executed
o
Windows 8 stores the last 8 times executed embedded in each .pfo
Last Modification Date of .pf file (~-10 seconds)
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 33/59
J#+4+2;&0"#+,%3;% J.#%3,* G"":
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 34/59
J#+4+2;&0"#+,%3;% J.#%3,* G"":
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 35/59
@E+#;3%+ ]Spotting Hidden Processes@E+#;3%+ ]@E.?3,3,* J#+4+2;& 03:+%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 36/59
!3,-"D% )#234.;2 ),.:>%3%
89/,.':. ;("&$ <2=>?
@(0A/+$ B,&C&.'9
D0.(E;/,&0$('$ F&'90(G:&$
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 37/59
03:+ <>%2+? @%%+,23.:%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 38/59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 39/59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 40/59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 41/59
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 42/59
@A3-+,;+ 3, I+?"#>
• Running Processes and Services
• Unpacked/decrypted Executables
• Memory-only Chat and P2P programs
•
Network Communications & Listening Ports• Encryption Keys/Cleartext Passwords
• In-Private Browsing history
• Evidence of Rootkit Subversion
•
Registry Keys
Image courtesy Flickr user Heather “Cast a Line” and used under a Creative Commons License, http://www.flickr.com/photos/58754750@N08/5484319650/
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 43/59
I+?"#> 0"#+,%3;%
•
Triage & Memory Acquisition & Analysiso Increasingly more common in CIRT triage SOPs
o Typically in IR, the more evidence, the faster, the
better
o Every technique has its advantages anddisadvantages
o 90% of analysis is conducted on 1% of the data
o
Whatever tool/technique you choose, it is importantto understand how the method may affect:
1.) the target system and/or
2.) the resultant memory image
6, +%23*.23 + I+2&"-":"*>
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 44/59
6,A+%23*.23A+ I+2&"-":"*>kZ%+ 9.%+k 6-+,234>3,* I.:D.#+
8
IA&0.(CJ ,/K:& %,/'&$$&$ L
8 D0!"JM& %,/'&$$ -22$ !0A 9!0A"&$N
8
O&3(&+ 0&.+/,P !,.(C!'.$Q
8 2//P C/, &3(A&0'& /C '/A& (0R&'.(/0S
8 59&'P C/, $(K0$ /C ! ,//.P(.T
8
-:4% $:$%('(/:$ %,/'&$$&$ !0A A,(3&,$U
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 45/59
I+?"#> 0"#+,%3;% )#%+,.:k Volatility Framework
8 ):%" <2.,-.:",+ !3,-"D% +E+;12.M:+
b'+, <"1#;+ J>2&", 4#.?+D"#$ 4"# ?+?"#>4"#+,%3;%
8 !3,lJ <J]BQU <+#A+#]$QB<JTU]$dB7]U !3,f <JVBTU !3,d ^!3,d\T
8 oQ]FM32 ^ hcFM32o
<1''"#2+- J:.24"#?%
8 )-A.,;+- 0"#+,%3; J:1*3, J.#%+#%<1''"#2 .--+- 3, ]\Q\T 4"# b<l .,- W3,1E
91X3,* @-*+ 5+A+:"'?+,2
0"# I"#+ 6,4"k &X'kBBA":.23:32>4"1,-.23",\"#*BJ3;21#+ ;"1#2+%> 0:3;$# 1%+# M.#p.;$ .,- 1%+- 1,-+# . 9#+.23A+ 9"??",% :3;+,%+U &X'kBBDDD\q3;$#\;"?B'&"2"%BM.#p.;$BD32&BTfVQQVd]dB
Y+X3,* <2.#2+- D32&
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 46/59
Y+X3,* <2.#2+- D32&=":.23:32>
(4!K&(0C/ 5+2+#?3,+ 2.#*+2 %>%2+? '#"S:+ 4#"? . ?+?"#> 3?.*+
%$"($.53%':.>% 2&+ '#";+%%+% ?.3,2.3,+- 3, 2&+ r@J7b9@<<-"1M:>F:3,$+- :3%2
%$$'!06-+,23S+% @J7b9@<< '"": .::";.23", M.%+- ",
%;.,,3,* 4"# '#";+%% %'+;3S; '"": 2.*%
6?.*+ 6-+,23S;.23",
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 47/59
6?.*+ 6-+,23S;.23",imageinfo PTR
8
6-+,23S+% 2&+ C5`Y .,- -+2+#?3,+% 2&+ %>%2+? '#"S:+.,- "2&+# ?+2.-.2. '+#2.3,3,* 2" 2&+ 3?.*+ P-.2+ "4;#+.23",R
B:,%/$&
8 K",+
I4%/,.!0. B!,!4&.&,$
8 5+2+#?3,+% "'+#.23,* %>%2+? ^ %+#A3;+ '.;$ P'#"S:+ 3,4"R8
03,- -.2+ .,- 23?+ D&+, ?+?"#> 3?.*+ .;H13#+-8 `+ '.23+,2s G&3% ':1*3, ;., 2.$+ %"?+ 23?+\
I03&$.(K!.(3& =/.&$
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 48/59
C5`Y I.*3; =.:1+%V%&,!.(0K 8J$.&4 >-WX *!K(' Y!":&
!3,-"D% lJ VV VV VV VV VV VV VV VV cM cc c] cf tV V]
!3,-"D% <+#A+# ]VVQ VV VV VV VV VV VV VV VV cM cc c] cf Td VQ
!3,-"D% =3%2. <JV VV VV VV VV VV VV VV VV cM cc c] cf ]d VQ
!3,-"D% =3%2. <JT VV VV VV VV VV VV VV VV cM cc c] cf QV VQ
!3,-"D% <+#A+# ]VVd VV VV VV VV VV VV VV VV cM cc c] cf cV VQ
!3,-"D% f VV VV VV VV VV VV VV VV cM cc c] cf cV VQ
!3,-"D% d LL LL LL LL V] 0d 00 00 cM cc c] cf hV VQ
6?.*+ 6-+,23S;.23",
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 49/59
6?.*+ 6-+,23S;.23",imageinfo P]R
!.:$ 2&+ J#";+%% W3%2
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 50/59
!.:$ 2&+ J#";+%% W3%2pslist PTR
8
53%':.>% 2&+ '#";+%%+% ?.3,2.3,+- 3, 2&+ r@J7b9@<<-"1M:>F:3,$+- :3%2
B:,%/$&
8 PF'R 03:2+# "12'12 M.%+- ", %'+;3S; '#";+%%P+%R8 PFJR b12'12 '&>%3;.: .--#+%% "u%+2 3,%2+.- "4 A3#21.:
I4%/,.!0. B!,!4&.&,$
8 J#";+%% 65 PJ65RU J.#+,2 J#";+%% 65 PJJ65RU G&#+.- ;"1,2UN.,-:+ ;"1,2U <+%%3",U !"DhcU <2.#2 ^ @E32 G3?+%
8 b12'12 ;., 3,;:1-+ 2+#?3,.2+-U M12 1,#+.'+- '#";+%%+%
I03&$.(K!.(3& =/.&$
!.:$ 2&+ J#";+%% W3%2
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 51/59
!.:$ 2&+ J#";+%% W3%2pslist P]R
Based on the pslist output, we can determine thatthe process svchost.exe (PID 632) has the parentservices.exe (PID 520)
!.:$ 2&+ J#";+%% W3%2
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 52/59
!.:$ 2&+ J#";+%% W3%2pslist PQR
In this truncated pslist output, threeterminated processes (PID 2536, 2112 & 1040)are included in doubly-linked list\
<;., 4"# J#";+%% <2#1;21#+%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 53/59
<;., 4"# J#";+%% <2#1;21#+%psscan PTR
8
6-+,23S+% @J7b9@<< '"": .::";.23", M.%+- ", %;.,,3,*4"# '#";+%% %'+;3S; '"": 2.*%
B:,%/$&
8
K",+
I4%/,.!0. B!,!4&.&,$
8 `> %;.,,3,* .:: "4 ?+?"#> 4"# '#";+%% M:";$%U .,- ,"2%3?':> 4"::"D3,* 2&+ @J7b9@<< :3,$+- :3%2U &3--+,
'#";+%%+% ?.> M+ 3-+,23S+-8 6, .--323",U 2+#?3,.2+- '#";+%%+% .,- 2&"%+ 4#"? .'#+A3"1% M""2 ?.> M+ 3,;:1-+- 3, 2&+ %;., "12'12
I03&$.(K!.(3& =/.&$
<;., 4"# J#";+%% <2#1;21#+%
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 54/59
<;., 4"# J#";+%% <2#1;21#+%psscan P]R
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 55/59
J#+A3"1% `""2 J#";+%%+%
<;.,,3,* 4"# 9",,+;23",% PlJ^]$QR
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 56/59
<;.,,3,* 4"# 9",,+;23",% PlJ^]$QR connscan PTR
8 <;., '&>%3;.: ?+?"#> 4"# rG9JGrb`_@9G "Mp+;2%
B:,%/$&
8 K",+
I4%/,.!0. B!,!4&.&,$
8 b42+, >3+:-% ?"#+ &3%2"#3;.: ,+2D"#$ -.2. 2&.,;",,+;23",%U '.#23;1:.#:> 3, 2#.;$3,* 9] ;&.,,+:;"??1,3;.23",%
I03&$.(K!.(3& =/.&$
<;.,,3,* 4"# 9",,+;23",% PlJ^]$QR
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 57/59
Watch out for false positives!
<;.,,3,* 4"# 9",,+;23",% PlJ^]$QR connscan P]R
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 58/59
c:\volatility-2.4.standalone.exe -f image.img--profile=WinXPSP3x86 pslist
71,,3,* =":.23:32> <2.,-.:",+
8/9/2019 Digital Forensics Foundations: Hands-On Workshop (264680121)
http://slidepdf.com/reader/full/digital-forensics-foundations-hands-on-workshop-264680121 59/59
@E+#;3%+ QIdentifying Rogue Processes
