Live Forensics
Upcoming SlideShare
Loading in...5

Live Forensics






Total Views
Views on SlideShare
Embed Views



5 Embeds 125 111 9 3 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Live Forensics Live Forensics Presentation Transcript

  • Are you alive?
    • Gordon Mitchell
    • Future Focus, Inc
    • aka bug-killer, eSleuth, …
  • Shocking news
    • Federal judges now briefed on need for live forensics
    • Defense may object to your leaving out 2GB of evidence (RAM)
    • It may never be possible to find the important issues without live forensics.
    • Ovie Carroll, DOJ at SANS Summit
    • Current forensics does not scale
    • Defense may ask about RAM
    • need to collect even if it is not analyzed
    • always need to focus on user attribution
    • user attribution must be in search warrant
  • Don’t pull the plug
    • Get status of network
    • Check all running processes
    • List the users, shares, …
    • Grab RAM
  • My info sources
    • Harlan Carvey’s book – a great resource
    • SANS Summit – the future of forensics
    • Software vendors
      • X-Ways Forensics (good forensics analysis)
      • F-Response (remote connection to HD & RAM)
      • Sysinternals (superb for Windows diagnostics)
      • Mandiant (PC profiling)
      • HBGary (impressive RAM parsing & analysis)
  • Sysinternals
  • Prevent popup EULA
  • Batch file of commands
    • fuzzy hashing
      • finds almost-same files, finds alterations, partial files
      • ssdeep -r <files> (to generate)
      • Ssdeep -m file_of_hashes [options] (to compare)
    • active registry monitor arm_db.rgf $40 (only runs thru XP)
      • allows registry diff, run before and after installation
    • InCtrl5 $7 (only runs thru W2K)
      • application installer analyzer
      • keeps track of what changes happen on install
    • mdd.exe, from ManTech (no good on Vista)
    • volitality, voltage, etc from AAron Walters
    • See Windows Forensic Analysis by Harlan Carvey
    • di (physical disk info)
    • ldi (logical disk info)
    • sr (restore point settings from xp, no harm in Vista)
    • lsproc (gets processes from memory)
    • lspd (file name and offset from lsproc file to get process details)
  • Free tools from Mandiant
    • Command line tools for minimal impact on target system
    • Grab important info on machine condition
    • Can collect for later comparison
    • Console lets results from individual systems be compared
  • Mandiant
  • Collecting RAM -- a demo in Vista!
    • Target machine
      • Start F-Response client
    • Analysis machine
      • Start X-Ways Forensics (recent version)
      • Set up iSCSI initiator
      • Add medium to case
      • Search or save
  • Tools from HBGary
    • Analyze RAM
    • Suspect stuff is identified
    • $3500 basic GUI version – It really works!
  • New news – it’s not all on the hard drive
  • Thanks for coming...
    • (888) eSleuth
    • [email_address]