Are you alive? <ul><li>Gordon Mitchell </li></ul><ul><li>Future Focus, Inc </li></ul><ul><li>aka bug-killer, eSleuth, … </...
Shocking news <ul><li>Federal judges now briefed on need for live forensics </li></ul><ul><li>Defense may object to your l...
<ul><li>Ovie Carroll, DOJ at SANS Summit </li></ul><ul><li>Current forensics does not scale </li></ul><ul><li>Defense may ...
Don’t pull the plug <ul><li>Get status of network </li></ul><ul><li>Check all running processes </li></ul><ul><li>List the...
My info sources <ul><li>Harlan Carvey’s book – a great resource </li></ul><ul><li>SANS Summit – the future of forensics </...
Sysinternals
Prevent popup EULA
Batch file of commands <ul><li>fuzzy hashing </li></ul><ul><ul><li>finds almost-same files, finds alterations, partial fil...
<ul><li>active registry monitor arm_db.rgf $40 (only runs thru XP) </li></ul><ul><ul><li>allows registry diff, run before ...
<ul><li>See Windows Forensic Analysis  by Harlan Carvey </li></ul><ul><li>di (physical disk info) </li></ul><ul><li>ldi (l...
Free tools from Mandiant <ul><li>Command line tools for minimal impact on target system </li></ul><ul><li>Grab important i...
Mandiant
 
Collecting RAM  -- a demo in Vista! <ul><li>Target machine </li></ul><ul><ul><li>Start F-Response client </li></ul></ul><u...
Tools from HBGary <ul><li>Analyze RAM  </li></ul><ul><li>Suspect stuff is identified </li></ul><ul><li>$3500  basic GUI ve...
 
New news  – it’s not all on the hard drive
Thanks for coming... <ul><li>(888) eSleuth  www.eSleuth.com </li></ul><ul><li>[email_address] </li></ul>
Upcoming SlideShare
Loading in...5
×

Live Forensics

2,065

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,065
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
68
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Live Forensics

    1. 1. Are you alive? <ul><li>Gordon Mitchell </li></ul><ul><li>Future Focus, Inc </li></ul><ul><li>aka bug-killer, eSleuth, … </li></ul>
    2. 2. Shocking news <ul><li>Federal judges now briefed on need for live forensics </li></ul><ul><li>Defense may object to your leaving out 2GB of evidence (RAM) </li></ul><ul><li>It may never be possible to find the important issues without live forensics. </li></ul>
    3. 3. <ul><li>Ovie Carroll, DOJ at SANS Summit </li></ul><ul><li>Current forensics does not scale </li></ul><ul><li>Defense may ask about RAM </li></ul><ul><li>need to collect even if it is not analyzed </li></ul><ul><li>always need to focus on user attribution </li></ul><ul><li>user attribution must be in search warrant </li></ul>
    4. 4. Don’t pull the plug <ul><li>Get status of network </li></ul><ul><li>Check all running processes </li></ul><ul><li>List the users, shares, … </li></ul><ul><li>Grab RAM </li></ul>
    5. 5. My info sources <ul><li>Harlan Carvey’s book – a great resource </li></ul><ul><li>SANS Summit – the future of forensics </li></ul><ul><li>Software vendors </li></ul><ul><ul><li>X-Ways Forensics (good forensics analysis) </li></ul></ul><ul><ul><li>F-Response (remote connection to HD & RAM) </li></ul></ul><ul><ul><li>Sysinternals (superb for Windows diagnostics) </li></ul></ul><ul><ul><li>Mandiant (PC profiling) </li></ul></ul><ul><ul><li>HBGary (impressive RAM parsing & analysis) </li></ul></ul>
    6. 6. Sysinternals
    7. 7. Prevent popup EULA
    8. 8. Batch file of commands <ul><li>fuzzy hashing </li></ul><ul><ul><li>finds almost-same files, finds alterations, partial files </li></ul></ul><ul><ul><li>ssdeep -r <files> (to generate) </li></ul></ul><ul><ul><li>Ssdeep -m file_of_hashes [options] (to compare) </li></ul></ul>
    9. 9. <ul><li>active registry monitor arm_db.rgf $40 (only runs thru XP) </li></ul><ul><ul><li>allows registry diff, run before and after installation </li></ul></ul><ul><li>InCtrl5 $7 (only runs thru W2K) </li></ul><ul><ul><li>application installer analyzer </li></ul></ul><ul><ul><li>keeps track of what changes happen on install </li></ul></ul><ul><li>mdd.exe, from ManTech (no good on Vista) </li></ul><ul><li>volitality, voltage, etc from AAron Walters </li></ul>
    10. 10. <ul><li>See Windows Forensic Analysis by Harlan Carvey </li></ul><ul><li>di (physical disk info) </li></ul><ul><li>ldi (logical disk info) </li></ul><ul><li>sr (restore point settings from xp, no harm in Vista) </li></ul><ul><li>lsproc (gets processes from memory) </li></ul><ul><li>lspd (file name and offset from lsproc file to get process details) </li></ul>
    11. 11. Free tools from Mandiant <ul><li>Command line tools for minimal impact on target system </li></ul><ul><li>Grab important info on machine condition </li></ul><ul><li>Can collect for later comparison </li></ul><ul><li>Console lets results from individual systems be compared </li></ul>
    12. 12. Mandiant
    13. 14. Collecting RAM -- a demo in Vista! <ul><li>Target machine </li></ul><ul><ul><li>Start F-Response client </li></ul></ul><ul><li>Analysis machine </li></ul><ul><ul><li>Start X-Ways Forensics (recent version) </li></ul></ul><ul><ul><li>Set up iSCSI initiator </li></ul></ul><ul><ul><li>Add medium to case </li></ul></ul><ul><ul><li>Search or save </li></ul></ul>
    14. 15. Tools from HBGary <ul><li>Analyze RAM </li></ul><ul><li>Suspect stuff is identified </li></ul><ul><li>$3500 basic GUI version – It really works! </li></ul>
    15. 17. New news – it’s not all on the hard drive
    16. 18. Thanks for coming... <ul><li>(888) eSleuth www.eSleuth.com </li></ul><ul><li>[email_address] </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×