• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Digital Forensics and Incident Response

Digital Forensics and Incident Response



null Delhi Chapter Meet - January 2014

null Delhi Chapter Meet - January 2014



Total Views
Views on SlideShare
Embed Views



2 Embeds 351

http://null.co.in 350
https://twitter.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Digital Forensics and Incident Response Digital Forensics and Incident Response Presentation Transcript

    • Preparation Lessons learnt Identification and Analysis Recovery Containment Eradication
    •        Elevated cmd and WMIC tasklist /v /fo csv tasklist /svc /fo csv netstat -ab dir /a/s /tc c: wmic startup list full /format:csv wmic process list full /format:csv
    •         Memory image Hibernation file Page file Registry Hives Event Logs $MFT Contents of Prefetch folder File listing with MD5 hashes
    • Download SANS SIFT Workstation 2.14 from http://computerforensics.sans.org/community/downloads (SANS SIFT Workstation 3 to be released soon)
    •      VMware Appliance Cross compatibility between Linux and Windows A portable lab workstation you can use for your investigations Forensic tools preconfigured Option to install stand-alone via (.iso) or use via VMware Player/Workstation
    •       You have to learn it like you do any tool Powerful command line capability It is a tool to accomplish deep forensic analysis Memory Analysis File System Analysis Timeline Analysis And many more…..
    • Login "sansforensics"  Password "forensics"  $ sudo su Use to elevate privileges to root while mounting disk images. 
    •  • • • • File System Support Windows (MSDOS, FAT, VFAT, NTFS) MAC (HFS) Solaris (UFS) Linux (EXT2/3)  • • • Evidence Image Support Expert Witness (E01) RAW (dd) Advanced Forensic Format (AFF)
    • /usr/local/src • Source files for Autopsy, The Sleuth kit and other tools /usr/local/bin • Location of the forensic pre-compiled binaries /cases • Location of the images that were seized from your compromised system /mnt • Location of the mount points for the file system images
    • RegRipper YARU deleted.pl exiftool Libpff • Automated Registry Analysis • Registry Analyzer • Recover deleted registry keys • Parser for metadata • .pst mail examination tool
    • Elevate your privileges  Change directories to /cases/<case directory>  Mount .E01 image files in the /mnt/ewf directory $ Mount_ewf.py <****.E01> /mnt/ewf/  Mount the raw image found in the /mnt/ewf directory on the mnt/windows_mount/ directory $ Mount –o ro,loop,show_sys_files,streams_interface=windows <image evidence directory> /mnt/windows_mount 
    • 1. Identify Rouge processes 2. Analyze process DLLs and handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of rootkit 6. Dump suspicious processes and drivers
    •      Vol.py –f <image> <plugin> -profile=<profile> Export VOLATILITY_LOCATION=file://<filepath> Export VOLATILITY_PROFILE=<profile> Vol.py –f <image format 1> imagecopy –o <imageformat1.img> cmdscan, consoles, connections, connscan, netscan,
    •     https://code.google.com/p/volatility/wiki/ https://http://computerforensics.sans.org/community SANS live classes and webcasts File System Forensic Analysis by Brian Carrier