Live Forensics
-
Upload
ctin -
Category
Technology
-
view
2.058 -
download
3
Transcript of Live Forensics
![Page 1: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/1.jpg)
Are you alive?Are you alive?
Gordon Mitchell
Future Focus, Inc
aka bug-killer, eSleuth, …
![Page 2: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/2.jpg)
Shocking newsShocking news
Federal judges now briefed on need for live forensics
Defense may object to your leaving out 2GB of evidence (RAM)
It may never be possible to find the important issues without live forensics.
![Page 3: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/3.jpg)
Ovie Carroll, DOJ at SANS SummitCurrent forensics does not scaleDefense may ask about RAMneed to collect even if it is not analyzedalways need to focus on user attributionuser attribution must be in search warrant
![Page 4: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/4.jpg)
Don’t pull the plugDon’t pull the plug
Get status of networkCheck all running processesList the users, shares, …Grab RAM
![Page 5: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/5.jpg)
My info sourcesMy info sourcesHarlan Carvey’s book – a great resourceSANS Summit – the future of forensicsSoftware vendors
– X-Ways Forensics (good forensics analysis)– F-Response (remote connection to HD & RAM)– Sysinternals (superb for Windows diagnostics)– Mandiant (PC profiling)– HBGary (impressive RAM parsing & analysis)
![Page 6: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/6.jpg)
SysinternalsSysinternals
![Page 7: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/7.jpg)
Prevent popup EULAPrevent popup EULA
![Page 8: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/8.jpg)
Batch file of commandsBatch file of commands
fuzzy hashing– finds almost-same files, finds alterations, partial
files
ssdeep -r <files> (to generate)
Ssdeep -m file_of_hashes [options] (to compare)
![Page 9: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/9.jpg)
active registry monitor arm_db.rgf $40 (only runs thru XP)– allows registry diff, run before and after
installation
InCtrl5 $7 (only runs thru W2K)– application installer analyzer– keeps track of what changes happen on install
mdd.exe, from ManTech (no good on Vista)volitality, voltage, etc from AAron Walters
![Page 10: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/10.jpg)
See Windows Forensic Analysis by Harlan Carvey
di (physical disk info)ldi (logical disk info)sr (restore point settings from xp, no harm
in Vista)lsproc (gets processes from memory)lspd (file name and offset from lsproc file to
get process details)
![Page 11: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/11.jpg)
Free tools from MandiantFree tools from Mandiant
Command line tools for minimal impact on target system
Grab important info on machine conditionCan collect for later comparisonConsole lets results from individual systems
be compared
![Page 12: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/12.jpg)
MandiantMandiant
![Page 13: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/13.jpg)
![Page 14: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/14.jpg)
Collecting RAM Collecting RAM -- a demo in Vista!-- a demo in Vista!
Target machine– Start F-Response client
Analysis machine– Start X-Ways Forensics (recent version)– Set up iSCSI initiator – Add medium to case– Search or save
![Page 15: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/15.jpg)
Tools from HBGaryTools from HBGary
Analyze RAM Suspect stuff is identified$3500 basic GUI version – It really works!
![Page 16: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/16.jpg)
![Page 17: Live Forensics](https://reader031.fdocuments.in/reader031/viewer/2022032122/55d51649bb61eb846b8b46dc/html5/thumbnails/17.jpg)
New news New news – it’s not all on the hard drive– it’s not all on the hard drive