5.2. Digital forensics
•
0 likes•622 views
This document summarizes a digital forensics case discussion between two security experts, Anton and George. They describe recovering data from a damaged hard drive image to help an employee named Anna avoid legal trouble. Techniques discussed include recovering the partition table, system files to obtain machine details, searching for malware, and analyzing a keylogger log file. Ultimately they were able to obtain secret key files that were potentially used in a crime, helping resolve Anna's case.
Report
Share
Report
Share
Download to read offline
Recommended
Memory Forensic - Investigating Memory Artefact
This document discusses memory forensics and summarizes a presentation about investigating memory artifacts. It introduces dracOs, an open-source Linux distribution for security research. It describes the current and planned forensics tools being integrated into dracOs. It then explains the basics of memory forensics, including why it is important, how memory is organized, common memory acquisition formats, and analysis tools like Volatility and Rekall. The presentation aims to provide knowledge about digital forensic analysis of memory dumps.
(Workshop) Memory Forensic - Investigating Memory Artefact
Presentation slide of memory forensic at Atmajaya University, Yogyakarta. This is the workshop side with hands-on material.
Dracos forensic flavor
This document discusses the digital forensic capabilities of the dracOs Linux distribution. It provides an overview of dracOs and its focus on digital forensics. It describes the current state of forensic tools integrated in dracOs and plans to develop a live CD for acquisition and analysis and new forensic tools. It also covers key aspects of digital forensics like stages of acquisition, analysis and reporting and categories of forensic techniques like device type, volatility and format type. Specific open source tools supported in dracOs are highlighted for tasks like disk imaging, file carving, file analysis, anti-malware, memory analysis and more. Contributing to dracOs's development is encouraged.
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
This document provides an overview of Autopsy 3.0 digital forensics software from Basis Technology. It discusses Autopsy's extensible framework that allows new modules to be added, its easy-to-use graphical interface, and how it provides fast results through automated ingest modules. The document demonstrates Autopsy's main features including ingest modules for hashing, keyword search, and web browser analysis, as well as content viewer modules and an external timeline viewer. It promotes upcoming training and a module writing competition, and encourages users and developers to get involved with the open source project.
computer forensic tools-Hardware & Software tools
This document discusses computer forensic tools and how to evaluate them. It covers the major tasks performed by forensic tools, including acquisition, validation, extraction, reconstruction, and reporting. Acquisition involves making a copy of the original drive, while validation ensures the integrity of copied data. Extraction recovers data through viewing, searching, decompressing, and other methods. Reconstruction recreates a suspect drive. Reporting generates logs and reports on the examination process and findings. The document examines both software and hardware tools, as well as command-line and graphical user interface options. Maintaining and selecting appropriate tools is important for effective computer investigations.
Anti-Forensic Rootkits
The document discusses anti-forensic rootkits and techniques that can manipulate digital evidence collected through live forensic imaging. It presents DDefy, a proof-of-concept anti-forensic rootkit that intercepts disk read requests and modifies the data returned to hide sensitive information from live forensic tools. DDefy demonstrates that current live imaging methods are insufficient to guarantee collection of untainted evidence, as they rely on the compromised system to provide the data. Better techniques are needed to directly acquire disk data and confirm it matches the kernel and userland views.
Anti forensic
Encryption, steganography, data hiding, artifact wiping, and trail obfuscation are anti-forensic techniques used to hide digital evidence and make forensic investigations difficult. These techniques aim to conceal criminal activity by hiding data in places that are hard to find and modify file metadata and attributes to cast doubt on evidence. While some argue these methods help improve forensic procedures, they are generally considered malicious since they are designed to cover up illegal acts and prevent authorities from proving criminal cases.
3871778
This document outlines an agenda for a two-day training on advanced digital forensics methods and tools. Day one will cover evidence acquisition, memory analysis, and labs on acquiring evidence from a system using FTK Imager and analyzing memory with Volatility. Day two will cover Windows forensic techniques, the Windows registry, timeline creation, file analysis, data recovery, and a final challenge lab. The training will teach best practices for incident response, forensic lab setup, investigating security breaches without modifying evidence, and analyzing physical memory and event logs.
Recommended
Memory Forensic - Investigating Memory Artefact
This document discusses memory forensics and summarizes a presentation about investigating memory artifacts. It introduces dracOs, an open-source Linux distribution for security research. It describes the current and planned forensics tools being integrated into dracOs. It then explains the basics of memory forensics, including why it is important, how memory is organized, common memory acquisition formats, and analysis tools like Volatility and Rekall. The presentation aims to provide knowledge about digital forensic analysis of memory dumps.
(Workshop) Memory Forensic - Investigating Memory Artefact
Presentation slide of memory forensic at Atmajaya University, Yogyakarta. This is the workshop side with hands-on material.
Dracos forensic flavor
This document discusses the digital forensic capabilities of the dracOs Linux distribution. It provides an overview of dracOs and its focus on digital forensics. It describes the current state of forensic tools integrated in dracOs and plans to develop a live CD for acquisition and analysis and new forensic tools. It also covers key aspects of digital forensics like stages of acquisition, analysis and reporting and categories of forensic techniques like device type, volatility and format type. Specific open source tools supported in dracOs are highlighted for tasks like disk imaging, file carving, file analysis, anti-malware, memory analysis and more. Contributing to dracOs's development is encouraged.
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
This document provides an overview of Autopsy 3.0 digital forensics software from Basis Technology. It discusses Autopsy's extensible framework that allows new modules to be added, its easy-to-use graphical interface, and how it provides fast results through automated ingest modules. The document demonstrates Autopsy's main features including ingest modules for hashing, keyword search, and web browser analysis, as well as content viewer modules and an external timeline viewer. It promotes upcoming training and a module writing competition, and encourages users and developers to get involved with the open source project.
computer forensic tools-Hardware & Software tools
This document discusses computer forensic tools and how to evaluate them. It covers the major tasks performed by forensic tools, including acquisition, validation, extraction, reconstruction, and reporting. Acquisition involves making a copy of the original drive, while validation ensures the integrity of copied data. Extraction recovers data through viewing, searching, decompressing, and other methods. Reconstruction recreates a suspect drive. Reporting generates logs and reports on the examination process and findings. The document examines both software and hardware tools, as well as command-line and graphical user interface options. Maintaining and selecting appropriate tools is important for effective computer investigations.
Anti-Forensic Rootkits
The document discusses anti-forensic rootkits and techniques that can manipulate digital evidence collected through live forensic imaging. It presents DDefy, a proof-of-concept anti-forensic rootkit that intercepts disk read requests and modifies the data returned to hide sensitive information from live forensic tools. DDefy demonstrates that current live imaging methods are insufficient to guarantee collection of untainted evidence, as they rely on the compromised system to provide the data. Better techniques are needed to directly acquire disk data and confirm it matches the kernel and userland views.
Anti forensic
Encryption, steganography, data hiding, artifact wiping, and trail obfuscation are anti-forensic techniques used to hide digital evidence and make forensic investigations difficult. These techniques aim to conceal criminal activity by hiding data in places that are hard to find and modify file metadata and attributes to cast doubt on evidence. While some argue these methods help improve forensic procedures, they are generally considered malicious since they are designed to cover up illegal acts and prevent authorities from proving criminal cases.
3871778
This document outlines an agenda for a two-day training on advanced digital forensics methods and tools. Day one will cover evidence acquisition, memory analysis, and labs on acquiring evidence from a system using FTK Imager and analyzing memory with Volatility. Day two will cover Windows forensic techniques, the Windows registry, timeline creation, file analysis, data recovery, and a final challenge lab. The training will teach best practices for incident response, forensic lab setup, investigating security breaches without modifying evidence, and analyzing physical memory and event logs.
Tisa mobile forensic
This document provides an overview of mobile phone forensic analysis, focusing on analysis of the iPhone. It discusses jailbreaking iPhones to allow forensic acquisition and analysis of file systems. It also discusses analyzing iTunes backup files from iPhones, which can contain data like call history, SMS messages, photos and more. Tools are presented for extracting and analyzing data from both jailbroken iPhones and iTunes backup files. The document emphasizes the importance of forensic soundness when acquiring data from mobile devices.
Forensics of a Windows System
The document discusses computer forensics in the context of investigating a Windows system. It outlines the process of gathering volatile data like memory contents and network connections using tools run from a trusted CD. Non-volatile data like the filesystem is acquired by imaging the entire disk. Timeline analysis uses data from files, registry keys and logs to determine when files and events occurred. The goal is to methodically identify and preserve digital evidence while following forensic standards.
Data Acquisition
Digital evidence acquisitions can be stored in raw, proprietary, or Advanced Forensics Format (AFF). The document discusses various acquisition methods and tools for disk-to-image, disk-to-disk, logical, and sparse acquisitions. It emphasizes the importance of validation, contingency planning, and minimizing alteration of evidence during the acquisition process. Special considerations are given for acquiring data from RAID systems and using Linux tools or remote network tools.
Live Memory Forensics on Android devices
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
LTEC 2013 - EnCase v7.08.01 presentation
This document discusses the digital forensic tool EnCase Forensic. It provides an overview of EnCase and its features, including that it is a leading forensic tool accepted in courts. The document then outlines a scenario where EnCase will be used to conduct a forensic investigation based on a search warrant. The remainder of the document walks through the key functions and screens of EnCase like adding disk images, searching for evidence, tagging evidence, and reporting while conducting the outlined forensic investigation scenario.
CNIT 121: 8 Forensic Duplication
This document discusses various types of forensic duplication including simple duplication that copies selected data versus forensic duplication that retains every bit on the source drive including deleted files. It covers requirements for forensic duplication including the need to act as admissible evidence. It describes different forensic image formats including complete disk, partition, and logical images and details scenarios for each type. Key aspects of forensic duplication covered include recovering deleted files, non-standard data types, ensuring image integrity with hashes, and traditional duplication methods like using hardware write blockers or live DVDs.
Encase Forensic
The document discusses EnCase, a digital forensics software. It can recover various types of data from devices including pictures, documents, and entire disk drives. The software includes tools for acquisition, analysis, and reporting. It uses the .E01 file format to store evidence and allows users to search devices for keywords, artifacts, and other digital evidence. The document provides instructions for downloading, installing, and using EnCase to examine digital media and create case files.
CNIT 152: 1 Real-World Incidents
The document summarizes two real-world incident response cases. The first case involved a 10-month attack where an attacker exploited an SQL injection vulnerability and eventually stole millions of payment card records over three months. The second case describes a spear phishing email that installed malware, allowing the attacker to compromise VPN credentials and steal sensitive engineering data over several weeks until a SIEM detected anomalous VPN access patterns. Both cases resulted in comprehensive incident response and remediation efforts.
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.
Linux forensics
Linux is well-suited for forensic investigations due to its free and open-source tools, flexible environment, and ability to access low-level interfaces. However, its tools are more complicated to use than commercial packages and typically lack technical support. Linux distributions use a directory tree with essential directories like /bin, /etc, /home, and /var. Important commands provide information on processes, network connections, and disk usage. The Linux boot process involves the BIOS, boot loader, kernel initialization, and starting of processes at designated run levels.
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive CNIT 152: 3 Pre-Incident Preparation
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
Unmasking Careto through Memory Forensics (video in description)
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Encase V7 Presented by Guidance Software august 2011
The document discusses new features in EnCase Forensic v7, including an EnCase Processor that automates common forensic tasks like recovering deleted folders, signature analysis, hash analysis, and indexing text. The Processor runs modules that find artifacts from files, email, internet use, and more. It allows customization of templates and modules to target specific types of evidence and streamline workflow. A demonstration of the Processor's abilities is provided.
CNIT 121: 11 Analysis Methodology
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 12b Windows Registry
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
CNIT 152 11 Analysis Methodology
This document provides an overview of the incident response analysis methodology. It discusses establishing objectives, understanding the situation and resources needed. Leadership is important to define objectives and prevent miscommunication. The analysis should focus on answering realistic questions within the defined scope. All data sources like operating systems, applications, user data, and networks should be understood. Various analysis methods are described like reviewing anomalies, host artifacts, malware analysis, tools, and manual review. The results should be periodically evaluated for progress and completeness in answering questions.
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
This document discusses acquiring and analyzing volatile memory from Android devices. It provides an overview of traditional Linux memory forensics and the challenges with analyzing Android memory. It introduces the tools LiME and Volatility for acquiring memory from a running Android device and then analyzing that memory image. It demonstrates how to use these tools to extract useful forensic artifacts like processes, network connections, and files.
CNIT 152: 1 Real-World Incidents
The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
Virtual Machine Forensics
Virtual machine forensics is an important topic for investigators. There are two types of hypervisors - Type 1 loads directly on hardware while Type 2 runs on an existing OS. The most common Type 2 hypervisors are Parallels, KVM, VirtualBox and VMware which allow virtual machines to run. Investigators must image both host systems and VMs, checking for VM files, network adapters and USB attachments to uncover any virtual machines. Live acquisitions of running VMs are also important to capture snapshot data.
Malware Analysis For The Enterprise
Covers building a malware analysis environment for enterprises that don't currently have a dedicated team for such purposes. Presented at Blackhat DC 2010.
Forensic Analysis and Discovery System
The document describes FADS (Forensic Agent Detection System), a digital forensics tool developed by the Security Research Group at Universiti Sains Malaysia. FADS allows for real-time network monitoring, detection of cyber attacks, and collection of evidence from server and client systems. It features several interfaces for forensic agents, notification of attacks, and storage of evidence in multiple databases for reporting purposes. FADS provides an easier way for law enforcement and organizations to conduct network forensics investigations and gather evidence of cyber crimes.
More Related Content
What's hot
Tisa mobile forensic
This document provides an overview of mobile phone forensic analysis, focusing on analysis of the iPhone. It discusses jailbreaking iPhones to allow forensic acquisition and analysis of file systems. It also discusses analyzing iTunes backup files from iPhones, which can contain data like call history, SMS messages, photos and more. Tools are presented for extracting and analyzing data from both jailbroken iPhones and iTunes backup files. The document emphasizes the importance of forensic soundness when acquiring data from mobile devices.
Forensics of a Windows System
The document discusses computer forensics in the context of investigating a Windows system. It outlines the process of gathering volatile data like memory contents and network connections using tools run from a trusted CD. Non-volatile data like the filesystem is acquired by imaging the entire disk. Timeline analysis uses data from files, registry keys and logs to determine when files and events occurred. The goal is to methodically identify and preserve digital evidence while following forensic standards.
Data Acquisition
Digital evidence acquisitions can be stored in raw, proprietary, or Advanced Forensics Format (AFF). The document discusses various acquisition methods and tools for disk-to-image, disk-to-disk, logical, and sparse acquisitions. It emphasizes the importance of validation, contingency planning, and minimizing alteration of evidence during the acquisition process. Special considerations are given for acquiring data from RAID systems and using Linux tools or remote network tools.
Live Memory Forensics on Android devices
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
LTEC 2013 - EnCase v7.08.01 presentation
This document discusses the digital forensic tool EnCase Forensic. It provides an overview of EnCase and its features, including that it is a leading forensic tool accepted in courts. The document then outlines a scenario where EnCase will be used to conduct a forensic investigation based on a search warrant. The remainder of the document walks through the key functions and screens of EnCase like adding disk images, searching for evidence, tagging evidence, and reporting while conducting the outlined forensic investigation scenario.
CNIT 121: 8 Forensic Duplication
This document discusses various types of forensic duplication including simple duplication that copies selected data versus forensic duplication that retains every bit on the source drive including deleted files. It covers requirements for forensic duplication including the need to act as admissible evidence. It describes different forensic image formats including complete disk, partition, and logical images and details scenarios for each type. Key aspects of forensic duplication covered include recovering deleted files, non-standard data types, ensuring image integrity with hashes, and traditional duplication methods like using hardware write blockers or live DVDs.
Encase Forensic
The document discusses EnCase, a digital forensics software. It can recover various types of data from devices including pictures, documents, and entire disk drives. The software includes tools for acquisition, analysis, and reporting. It uses the .E01 file format to store evidence and allows users to search devices for keywords, artifacts, and other digital evidence. The document provides instructions for downloading, installing, and using EnCase to examine digital media and create case files.
CNIT 152: 1 Real-World Incidents
The document summarizes two real-world incident response cases. The first case involved a 10-month attack where an attacker exploited an SQL injection vulnerability and eventually stole millions of payment card records over three months. The second case describes a spear phishing email that installed malware, allowing the attacker to compromise VPN credentials and steal sensitive engineering data over several weeks until a SIEM detected anomalous VPN access patterns. Both cases resulted in comprehensive incident response and remediation efforts.
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.
Linux forensics
Linux is well-suited for forensic investigations due to its free and open-source tools, flexible environment, and ability to access low-level interfaces. However, its tools are more complicated to use than commercial packages and typically lack technical support. Linux distributions use a directory tree with essential directories like /bin, /etc, /home, and /var. Important commands provide information on processes, network connections, and disk usage. The Linux boot process involves the BIOS, boot loader, kernel initialization, and starting of processes at designated run levels.
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive CNIT 152: 3 Pre-Incident Preparation
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
Unmasking Careto through Memory Forensics (video in description)
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Encase V7 Presented by Guidance Software august 2011
The document discusses new features in EnCase Forensic v7, including an EnCase Processor that automates common forensic tasks like recovering deleted folders, signature analysis, hash analysis, and indexing text. The Processor runs modules that find artifacts from files, email, internet use, and more. It allows customization of templates and modules to target specific types of evidence and streamline workflow. A demonstration of the Processor's abilities is provided.
CNIT 121: 11 Analysis Methodology
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 12b Windows Registry
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
CNIT 152 11 Analysis Methodology
This document provides an overview of the incident response analysis methodology. It discusses establishing objectives, understanding the situation and resources needed. Leadership is important to define objectives and prevent miscommunication. The analysis should focus on answering realistic questions within the defined scope. All data sources like operating systems, applications, user data, and networks should be understood. Various analysis methods are described like reviewing anomalies, host artifacts, malware analysis, tools, and manual review. The results should be periodically evaluated for progress and completeness in answering questions.
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
This document discusses acquiring and analyzing volatile memory from Android devices. It provides an overview of traditional Linux memory forensics and the challenges with analyzing Android memory. It introduces the tools LiME and Volatility for acquiring memory from a running Android device and then analyzing that memory image. It demonstrates how to use these tools to extract useful forensic artifacts like processes, network connections, and files.
CNIT 152: 1 Real-World Incidents
The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
Virtual Machine Forensics
Virtual machine forensics is an important topic for investigators. There are two types of hypervisors - Type 1 loads directly on hardware while Type 2 runs on an existing OS. The most common Type 2 hypervisors are Parallels, KVM, VirtualBox and VMware which allow virtual machines to run. Investigators must image both host systems and VMs, checking for VM files, network adapters and USB attachments to uncover any virtual machines. Live acquisitions of running VMs are also important to capture snapshot data.
What's hot (20)
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Viewers also liked
Malware Analysis For The Enterprise
Covers building a malware analysis environment for enterprises that don't currently have a dedicated team for such purposes. Presented at Blackhat DC 2010.
Forensic Analysis and Discovery System
The document describes FADS (Forensic Agent Detection System), a digital forensics tool developed by the Security Research Group at Universiti Sains Malaysia. FADS allows for real-time network monitoring, detection of cyber attacks, and collection of evidence from server and client systems. It features several interfaces for forensic agents, notification of attacks, and storage of evidence in multiple databases for reporting purposes. FADS provides an easier way for law enforcement and organizations to conduct network forensics investigations and gather evidence of cyber crimes.
Basic malware analysis
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
This talk was given at DEF CON 2010 by Jeremy Chiu, Benson Wu, and Wayne Huang
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports.
The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis.
Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis.
By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.
Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.
Malware Analysis Made Simple
Malware analysis is important for responding quickly to security incidents and keeping costs down. Malware is the number one external threat and is adapting to evade traditional defenses like firewalls and antivirus software. When incidents do occur, organizations should have an in-house capability to analyze malware using free and open-source tools to understand the scope of infections and prevent recurrences.
Leveraging NTFS Timeline Forensics during the Analysis of Malware
This document provides an overview of leveraging NTFS timeline forensics in malware analysis. It discusses analyzing the Master File Table (MFT) of the NTFS file system to establish a timeline and location of system changes. The document analyzes a rogue antivirus malware sample to demonstrate the technique, extracting information from the MFT, prefetch folder, registry hives, and recovering deleted files. While useful, MFT analysis must be corroborated with other methods due to potential for attribute manipulation.
Basic Malware Analysis
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
openioc_scan - IOC scanner for memory forensics
Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. By checking IOCs in RAM images (e.g., code injection sign, used/hooked API functions, unpacked code sequences), we can detect malware faster and deeper than disk-based traditional IOCs. In this presentation, I explain how to define and improve IOCs for openioc_scan, introduce IOC examples including not only IOCs for specific malware but also ones focusing on generic traits of malware. I also show remote malware triage automation combining with F-Response.
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
The document discusses memory forensics and rootkit detection. It covers why memory forensics is important for malware analysis and incident response. Key topics include memory acquisition tools, the Volatility memory forensics framework, rootkit techniques like DLL injection, hooking, and process/driver hiding used by malware. Detection methods for these rootkit behaviors using Volatility plugins are also presented. The document appears to be from a security training presentation on memory forensics and rootkit analysis.
Investigating Malware using Memory Forensics
This document discusses memory forensics, which involves acquiring volatile memory from a system as a non-volatile image that can then be analyzed. It lists Monnappa K A's background and expertise in security investigations and memory forensics. The key steps in memory forensics are outlined as acquiring the memory dump, analyzing it to find forensic artifacts that can help reveal processes, network activity, registry changes and assist with unpacking malware and detecting rootkits. Several tools for acquiring memory on physical and virtual machines are also listed. An example scenario of using memory forensics to investigate a potentially infected system is provided.
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
H@dfex 2015 malware analysis
Charles Lim presented on malware analysis at a conference in Yogyakarta, Indonesia. He discussed various techniques for analyzing malware, including static analysis of program code and files, dynamic analysis by executing programs in sandboxes or virtual machines, and memory analysis of running processes. He also provided a case study of analyzing a malware infection that caused a denial of service attack through traffic flooding. Future challenges in malware analysis include dealing with packed or encrypted malware, evasive malware that uses anti-analysis techniques, and continuing to improve analysis through machine learning.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
CNIT 126 7: Analyzing Malicious Windows Programs
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
computer forensics
Computer forensics is the science of investigating digital devices and media for legal evidence. It began in the late 1980s with the creation of organizations like IACIS. Investigators use methods to detect and recover hidden, deleted, or encrypted data through techniques like disk analysis, steganalysis, and data carving. They must have expertise in operating systems, file systems, data storage, and encryption to properly handle electronic evidence for criminal and civil cases. While computer forensics allows thorough searches and analysis of large amounts of data, it also faces challenges such as ensuring evidence integrity and overcoming costs.
Introduction to Malware Analysis
This document provides an overview of malware analysis, including both static and dynamic analysis techniques. Static analysis involves examining a file's code and components without executing it, such as identifying file types, checking hashes, and viewing strings. Dynamic analysis involves executing the malware in a controlled environment and monitoring its behavior and any system changes. Dynamic analysis tools discussed include Process Explorer, Process Monitor, and Autoruns to track malware processes, files accessed, and persistence mechanisms. Both static and dynamic analysis are needed to fully understand malware behavior.
Viewers also liked (16)
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Similar to 5.2. Digital forensics
DracOs Forensic Flavor
Seminar on Mobile Forensic and Computer Security 2017
Universitas Ahmad Dahlan
Yogyakarta, 2017-02-17
dracOs is a linux distro for cyber security activity. But most of us know cyber security as offensive activity. How about digital forensic?
Here we are discussing about dracOs and masterplan for digital forensic in future release.
Enterprise Forensics 101
This document provides an overview of enterprise forensics from Mona Arkhipova of QIWI. It discusses common use cases for enterprise forensics including internal incidents, external incidents, and fraud investigations. It then outlines the steps of a typical live response including collecting system details, network information, processes, logs and disk/memory images. Specific collection for Linux and Windows systems is also covered. Forensic toolkits for both operating systems are listed and carving techniques are discussed for deep diving non-volatile evidence through timelines, file filtering and malware analysis. The document concludes with an overview of QIWI's forensic lab and tools used as well as considerations for reporting.
Cyber Incident Response & Digital Forensics Lecture
Originally a two hour Cyber Incident Response / Digital Forensics and Incident Response Lecture given to BSc students at a UK university
Logs, Logs, Logs - What you need to know to catch a thief
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
MNSEC 2018 - Windows forensics
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
Forensics perspective ERFA-møde marts 2017
This document provides an overview of analyzing banker trojans from a digital forensics perspective. It discusses identifying how banker trojans persist on systems, how they are initially installed, and techniques for determining the timeline of infection. Free tools are presented for collecting artifacts like files, registry entries, and events for analysis. A case study of the Carbanak and Dridex banker trojans is briefly described. Finally, commercial incident response tools are summarized, including automated collection and analysis capabilities as well as reporting and data sharing functions.
Presentation cyber forensics & ethical hacking
This document provides an overview of cyber forensics. It introduces Ambuj Kumar, a cyber security analyst, and discusses topics like the cyber forensics process, goals of forensics investigations, how computers are used in cybercrimes, types of investigations and evidence, challenges in acquiring evidence, roles of first responders, locations of electronic evidence, the chain of custody process, and techniques like hashing, write protection, and analyzing deleted data.
Malware forensics
This document discusses keyloggers, malware detection, and forensic investigation of infected systems. It defines keyloggers as hardware or software that captures keystrokes and malware as malicious software like viruses and Trojans. It provides tips for detecting keyloggers and malware through artifacts in the system, registry, prefetch files, and suspicious files and entries. It outlines methods for determining the infection source and timeline, and identifying captured data, attacker information, and next steps for investigators.
Digital Forensics
Digital forensics involves analyzing digital artifacts like computers, storage devices, and network traffic as potential legal evidence. The process includes preparing investigators, collecting evidence while maintaining a chain of custody, examining and analyzing the data, and reporting the results. Key steps are imaging systems to obtain an exact duplicate without altering the original, recovering volatile data from memory, and using tools like EnCase and The Sleuth Kit to manually review and search the evidence for relevant information.
Digital forensics
Digital forensics involves analyzing digital artifacts like computers, storage devices, and network traffic as potential legal evidence. The process includes preparing investigators, carefully collecting and preserving evidence while maintaining a clear chain of custody, examining and analyzing the data found, and reporting the results. Key steps are imaging systems to obtain an exact duplicate without altering the original, recovering both data at rest and volatile memory, and using specialized tools to find relevant information for investigations. Examples of cases that relied on digital evidence include those of Chandra Levy and the BTK killer.
Advanced Persistent Threats
This document summarizes a presentation on Advanced Persistent Threats (APTs) given by Aryeh Goretsky, a Distinguished Researcher at ESET. The presentation defines APTs as determined adversaries who conduct cyber attacks in phases, including reconnaissance of targets, analysis of vulnerabilities, development of tools to exploit vulnerabilities, trial runs of attacks, and implantation of attacks on targets. It discusses techniques used in APTs, such as rootkits, command and control servers, custom file systems and partitions, evasion methods, firmware attacks, and programming languages. The presentation aims to explain how to think like a determined adversary conducting a cyber attack campaign.
Draft current state of digital forensic and data science
In this presentation we will introduce current state of digital forensics, its positioning in general IT security and relations with data science and data analyses. Many strong links exist among this technical and scientific fields, usually this links are not taken into consideration. For data owners, forensic researchers and investigators this connections and data views presents additional hidden values.
Let’s play the game. Yet another way to perform penetration test. Russian “re...
1) The document describes a "Red Team Exercise" penetration test performed by security experts against the internal systems of QIWI, a Russian payments company, to simulate a real-world attack.
2) Over the course of 2.5 months, the Red Team was able to compromise various critical system accounts and credentials by exploiting social engineering vectors and weaknesses in network security configurations.
3) The exercise was considered a success overall as it provided a realistic simulation of how external attackers may target the organization, and identified security gaps that needed to be addressed.
A Threat Hunter Himself
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
A Threat Hunter Himself
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
Super Easy Memory Forensics
FIRSTCON22のワークショップで使用した資料です。
https://www.first.org/conference/2022/program#pSuper-Easy-Memory-Forensics-You-Can-Mount-Memory-Images-and-Analyze-them-with-Explorer-and-Notepad
Computer forensics 1
This document provides an overview of computer forensics. It defines computer forensics as involving the preservation, identification, extraction, documentation and interpretation of computer data for legal evidence. The history of computer forensics is then summarized, noting its origins in the 1970s with early computer crimes and the realization that computer evidence was needed. An overview of who utilizes computer forensics and the basic methodology involving preparation, collection, examination, analysis and reporting is also provided.
CONFidence 2017: Hiding in plain sight (Adam Burt)
The security gap continues to evolve as attackers adjust their tactics to evade the latest defensive techniques. Using a recent case study, Adam Burt; Senior Systems Engineer at Fidelis Cybersecurity, will share his experience “From the Front Lines” on an example of the issues faced during investigations and Incident Response work.
css ppt.ppt
This document provides an overview of security and privacy issues related to computers and the internet. It discusses types of computer crimes like hacking and different methods criminals use. It also covers how to secure systems through identification and access controls, software security, firewalls and encryption. The document outlines disaster recovery plans and the importance of regular backups. It describes viruses, worms and other digital "pests" as well as precautions like antivirus software. The threats to personal privacy from widespread data collection and monitoring are examined. Laws around privacy and protecting children online are also mentioned.
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
Similar to 5.2. Digital forensics (20)
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)
More from defconmoscow
7.4. Show impact [bug bounties]
This document discusses several security vulnerabilities and situations:
1. Same-site scripting involving loading an image from an external site that can read cookie data from the original site.
2. Self-XSS that could be used to log a victim out and hijack their account by drawing a pop-up window to steal credentials.
3. HTTP referrer headers leaking sensitive information when external resources like images are loaded from other sites.
4. Incomplete browser support for content security policies potentially leaving some users vulnerable to XSS.
5. Username enumeration through guessing common names in the URL space.
It encourages thinking broadly about attack vectors and thanks the audience for their questions.
7.3. iCloud keychain-2
The document discusses iCloud Keychain and iOS 7 data protection. It provides an overview of how iCloud Keychain works, including how keychain items are encrypted and stored in iCloud's key-value store and escrow proxy. It notes that with the default 4-digit security code, Apple or an adversary could perform an offline brute force attack to instantly decrypt the backup keybag and access synced keychain records. The document recommends using a complex, random security code and random iCloud ID to prevent such attacks. In conclusions, it stresses verifying vendor claims, never using a simple security code, and that iCloud Keychain is reasonably well-engineered but not without shortcomings.
7.1. SDLC try me to implenment
This document discusses implementing security practices throughout the software development lifecycle (SDLC) using an agile framework. It recommends that security teams provide requirements, guides, and tools to development teams and integrate security tasks into each sprint. It also advocates for maximum automation of security processes through DevOps practices like standardized secure cloud platforms. The document argues that SDLC is not a strict standard but a set of practices that can be tailored to each environment through shared security responsibilities between security and development teams.
6.4. PHD IV CTF final
This document discusses a CTF competition held by PHDays in 2014. It includes information about the participant Max Moroz and his team BalalaikaCr3w. The document then shows various commands used during the competition to get information about services, rules, and debug logs from the game. It also includes statistics on flags found and a discussion of the game's economics system involving tasks, rewards, and resources.
6.3. How to get out of an inprivacy jail
The document provides advice on how to examine mobile applications from a forensic perspective by analyzing what types of personal data different applications may store, including contacts, messages, media files, and account information. Specific examples are given for examining applications like WhatsApp, Facebook Messenger, Instagram, and Google Maps to understand what kinds of private user data may be accessible through a forensic analysis. The goal is to understand how to extract important evidence from a variety of mobile applications that people use everyday.
6.2. Hacking most popular websites
This document discusses tricks to hack popular websites. It begins by introducing bug bounty programs and common defenses on websites. It then describes three cross-site scripting vulnerabilities found on Google APIs. Next, it explains reverse clickjacking and how to exploit it. The document continues detailing vulnerabilities and exploits found on other sites, including using JavaScript to steal cookies and source code. It concludes by discussing content security policies and ways to bypass protections in browsers.
6.1. iCloud keychain and iOS 7 data protection
This document summarizes iCloud Keychain and iOS 7 data protection. It discusses how keychain encryption has evolved from AES-CBC to AES-GCM encryption. It also explains how iOS uses file-level encryption with per-file keys based on protection classes. The document then analyzes the security of iCloud Keychain, describing how it uses an escrow proxy and key-value stores. It identifies a risk in how default iCloud Keychain setups allow for near-instant decryption of synced keychain records. The document recommends using a complex iCloud security code or random password to prevent offline guessing of the escrowed encryption key.
6. [Bonus] DCM MI6
This document discusses malware analysis and provides a secret task. It defines malware as software used to disrupt computer operation, gather sensitive information, or gain access to private systems. It also defines analysis as breaking down a complex topic into smaller parts to gain understanding. The secret task involves decrypting strings hidden in a malware sample, finding a 224-bit magic string, sending it to Defcon Moscow along with a description, and becoming a speaker at a meeting. The document encourages those wanting to learn more about malware analysis to attend a workshop.
5.3. Undercover communications
Dennis Gamayunov discusses the history of undercover communications and encryption techniques. He describes how early systems like BBS, SMTP, and IRC lacked privacy and authentication. PGP introduced public-key cryptography for encrypting and signing messages. The Web of Trust model allows people to verify ownership of keys. However, fake keys and identities can undermine the system. The SILC protocol provides encryption for chat channels. OTR messaging provides forward secrecy, deniability, and no third-party proofs. Future work includes improving usability and expanding these techniques to group messaging.
5. [Daily hack] Truecrypt
This document discusses tools for recovering a partially lost Truecrypt password using a GPU when 4-5 symbols of the password are unknown. It describes the tools TrueCrack and oclHashCat, how they work by using the salt and encrypted string in the Truecrypt header to brute force possible passwords, and provides an example command to use oclHashCat to try passwords with unknown case and symbols replaced with wildcards.
4.5. Contests [extras]
The document announces several security contests including an XSS contest, a contest involving manipulating the location hash and location URL, and a CTF hosted at a website. It also mentions upcoming contests could involve categories like web, crypto, and exploitation challenges. Contact details are provided for more information.
4.4. Hashcracking server on generic hardware
This document discusses using generic computer hardware to build high-performance hash cracking systems. It describes the speaker's previous systems using CPUs and GPUs, with their most powerful system using multiple Radeon HD6990 and HD7990 graphics cards. Key challenges discussed are cooling, power supply requirements, and software compatibility issues. The speaker advocates for water cooling over air cooling due to temperature issues. Cost estimates are provided for building a powerful system capable of 112 billion MD5 hashes per second for $9000.
4.2. Web analyst fiddler
This document discusses using Fiddler, a web debugging proxy, to debug HTTP traffic and tune proxy settings. It highlights how Fiddler scripts allow setting breakpoints to inspect JavaScript files from multiple hosts to find the source of unwanted content, and how Fiddler can be used to download malware signatures and lists of dynamic DNS domains for analysis.
4.1. Path traversal post_exploitation
This document discusses techniques for path traversal attacks after gaining initial access to a system. It provides examples of important files and directories to access outside the web root, including password files, SSH keys, log files, and system information files. It also discusses common locations for these types of files on Linux, Windows, and Coldfusion systems. The goal of path traversal after initial access is to elevate privileges and gather additional sensitive information to fully compromise the target system.
3.3. Database honeypot
1. The document describes a rogue MySQL server that acts as a honeypot by exchanging file contents from attacking clients in response to their SQL queries.
2. It provides instructions on how the honeypot works by having the client send a query, the server responding with a request for a file, and the client then sending the file content.
3. The document also shares a GitHub link to the Python code for the rogue MySQL server honeypot and discusses using man-in-the-middle attacks to retrieve files from clients.
More from defconmoscow (20)
Recently uploaded
Bengaluru Dreamin' 24 - Personal Branding
Session on Personal Branding presented at Bengaluru Dreamin
HijackLoader Evolution: Interactive Process Hollowing
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
原版办【微信号:95270640】【新西兰林肯大学毕业证(Lincoln毕业证书)】【微信号:95270640】《成绩单、外壳、雅思、offer、真实留信官方学历认证(永久存档/真实可查)》采用学校原版纸张、特殊工艺完全按照原版一比一制作(包括:隐形水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠,文字图案浮雕,激光镭射,紫外荧光,温感,复印防伪)行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备,十五年致力于帮助留学生解决难题,业务范围有加拿大、英国、澳洲、韩国、美国、新加坡,新西兰等学历材料,包您满意。
【我们承诺采用的是学校原版纸张(纸质、底色、纹路)我们拥有全套进口原装设备,特殊工艺都是采用不同机器制作,仿真度基本可以达到100%,所有工艺效果都可提前给客户展示,不满意可以根据客户要求进行调整,直到满意为止!】
【业务选择办理准则】
一、工作未确定,回国需先给父母、亲戚朋友看下文凭的情况,办理一份就读学校的毕业证【微信号95270640】文凭即可
二、回国进私企、外企、自己做生意的情况,这些单位是不查询毕业证真伪的,而且国内没有渠道去查询国外文凭的真假,也不需要提供真实教育部认证。鉴于此,办理一份毕业证【微信号95270640】即可
三、进国企,银行,事业单位,考公务员等等,这些单位是必需要提供真实教育部认证的,办理教育部认证所需资料众多且烦琐,所有材料您都必须提供原件,我们凭借丰富的经验,快捷的绿色通道帮您快速整合材料,让您少走弯路。
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
留信网服务项目:
1、留学生专业人才库服务(留信分析)
2、国(境)学习人员提供就业推荐信服务
3、留学人员区块链存储服务
【关于价格问题(保证一手价格)】
我们所定的价格是非常合理的,而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子 我给客户的都是第一手的代理价格,因为我想坦诚对待大家 不想跟大家在价格方面浪费时间
对于老客户或者被老客户介绍过来的朋友,我们都会适当给一些优惠。
选择实体注册公司办理,更放心,更安全!我们的承诺:客户在留信官方认证查询网站查询到认证通过结果后付款,不成功不收费!
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
USYD硕士毕业证成绩单【微信95270640】《如何办理悉尼大学毕业证认证》【办证Q微信95270640】《悉尼大学文凭毕业证制作》《USYD学历学位证书哪里买》办理悉尼大学学位证书扫描件、办理悉尼大学雅思证书!
国际留学归国服务中心《如何办悉尼大学毕业证认证》《USYD学位证书扫描件哪里买》实体公司,注册经营,行业标杆,精益求精!
如果您是以下情况,我们都能竭诚为您解决实际问题:【公司采用定金+余款的付款流程,以最大化保障您的利益,让您放心无忧】
1、在校期间,因各种原因未能顺利毕业,拿不到官方毕业证+微信95270640
2、面对父母的压力,希望尽快拿到悉尼大学悉尼大学毕业证offer;
3、不清楚流程以及材料该如何准备悉尼大学悉尼大学毕业证offer;
4、回国时间很长,忘记办理;
5、回国马上就要找工作,办给用人单位看;
6、企事业单位必须要求办理的;
面向美国乔治城大学毕业留学生提供以下服务:
【★悉尼大学悉尼大学毕业证offer毕业证、成绩单等全套材料,从防伪到印刷,从水印到钢印烫金,与学校100%相同】
【★真实使馆认证(留学人员回国证明),使馆存档可通过大使馆查询确认】
【★真实教育部认证,教育部存档,教育部留服网站可查】
【★真实留信认证,留信网入库存档,可查悉尼大学悉尼大学毕业证offer】
我们从事工作十余年的有着丰富经验的业务顾问,熟悉海外各国大学的学制及教育体系,并且以挂科生解决毕业材料不全问题为基础,为客户量身定制1对1方案,未能毕业的回国留学生成功搭建回国顺利发展所需的桥梁。我们一直努力以高品质的教育为起点,以诚信、专业、高效、创新作为一切的行动宗旨,始终把“诚信为主、质量为本、客户第一”作为我们全部工作的出发点和归宿点。同时为海内外留学生提供大学毕业证购买、补办成绩单及各类分数修改等服务;归国认证方面,提供《留信网入库》申请、《国外学历学位认证》申请以及真实学籍办理等服务,帮助众多莘莘学子实现了一个又一个梦想。
专业服务,请勿犹豫联系我
如果您真实毕业回国,对于学历认证无从下手,请联系我,我们免费帮您递交
诚招代理:本公司诚聘当地代理人员,如果你有业余时间,或者你有同学朋友需要,有兴趣就请联系我
你赢我赢,共创双赢
你做代理,可以帮助悉尼大学同学朋友
你做代理,可以拯救悉尼大学失足青年
你做代理,可以挽救悉尼大学一个个人才
你做代理,你将是别人人生悉尼大学的转折点
你做代理,可以改变自己,改变他人,给他人和自己一个机会过暑假的小学生快乐的日子总是过得飞快山娃尚未完全认清那几位小朋友时他们却一个接一个地回家了山娃这时才恍然发现二个月的暑假已转到了尽头他的城市生活也将划上一个不很圆满的句号了值得庆幸的是山娃早记下了他们的学校和联系方式说也奇怪在山娃离城的头一天父亲居然请假陪山娃耍了一天那一天父亲陪着山娃辗转长隆水上乐园疯了一整天水上漂流高空冲浪看大马戏大凡里面有的父亲都带着他去疯一把山娃算了算这一次足足花了老爸元很
Discover the benefits of outsourcing SEO to India
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
学校原件一模一样【微信:741003700 】《(Vic毕业证书)惠灵顿维多利亚大学毕业证》【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
学校原件一模一样【微信:741003700 】《(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书》【微信:741003700 】学位证,留信认证(真实可查,永久存档)原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原。
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
【主营项目】
一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度)
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
原版一模一样【微信:741003700 】【新西兰奥克兰大学毕业证学位证书】【微信:741003700 】学位证,留信认证(真实可查,永久存档)offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
Should Repositories Participate in the Fediverse?
Presentation for OR2024 making the case that repositories could play a part in the "fediverse" of distributed social applications
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
原版定制【微信:bwp0011】《(umiami毕业证书)美国迈阿密大学毕业证文凭证书》【微信:bwp0011】成绩单 、雅思、外壳、留信学历认证永久存档查询,采用学校原版纸张、特殊工艺完全按照原版一比一制作(包括:隐形水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠,文字图案浮雕,激光镭射,紫外荧光,温感,复印防伪)行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备,十五年致力于帮助留学生解决难题,业务范围有加拿大、英国、澳洲、韩国、美国、新加坡,新西兰等学历材料,包您满意。
【业务选择办理准则】
一、工作未确定,回国需先给父母、亲戚朋友看下文凭的情况,办理一份就读学校的毕业证【微信bwp0011】文凭即可
二、回国进私企、外企、自己做生意的情况,这些单位是不查询毕业证真伪的,而且国内没有渠道去查询国外文凭的真假,也不需要提供真实教育部认证。鉴于此,办理一份毕业证【微信bwp0011】即可
三、进国企,银行,事业单位,考公务员等等,这些单位是必需要提供真实教育部认证的,办理教育部认证所需资料众多且烦琐,所有材料您都必须提供原件,我们凭借丰富的经验,快捷的绿色通道帮您快速整合材料,让您少走弯路。
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
【关于价格问题(保证一手价格)】
我们所定的价格是非常合理的,而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子 我给客户的都是第一手的代理价格,因为我想坦诚对待大家 不想跟大家在价格方面浪费时间
对于老客户或者被老客户介绍过来的朋友,我们都会适当给一些优惠。
Recently uploaded (12)
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
5.2. Digital forensics
- 1. Digital forensics(intro) By Anton Kalinin & George Lagoda Feb 15, 2014
- 2. /whoami Anton Kalinin Malware analyst Interests: bad toilet selfie Work at . . .
- 3. /wh0x41mi George Lagoda Security expert Pentester Interests: [deep|web]penetrations, revers, forensics, Work at . . .
- 4. Digital forensics, The. [quote] Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. [/quote]
- 5. What itz all about?
- 6. What we going to talk about • Data recovery • Evidence detection • Group-ib Olympic case discussion • Some tools discussion Basically we just goin to run through one more or less real interesting case and discuss techniques and tools we used…
- 7. Why do we need data recovery?
- 8. Why also we need data recovery • Damaged discs • Damaged images • Deleted files • Something encrypted • Something partially missing • Something damaged by malware […] All these things can omit evidence of crime
- 9. What can be restored • MBR • Partition table • Encrypted volume • Private pgp key, certificates,etc.. • Files/audio/video….. Why? Because it is still text with headers, structure, etc… How? TOOLS. Coming up later…
- 10. Can I haz cheezburger now? Group-ib image E01 format (Elcomsoft – making expensive but not very fast forensics software.) Image damaged 40 gb of unallocated space No partition table 1 employee does not want go to jail. Can we help to Anna?
- 11. And do u want to help her in that case?
- 12. Scanning disc with R-Studio
- 13. Trying to access to file system
- 14. Tasks for helping Anna • Find all partitions, their fs, size • Find system info : OS versions, system time, machine name, last power off time • All user accs • Autorun progs • All email addresses • Storage of secret key for digital signature, and is there anything telling about compromising this key • Antivirus software, malware detections, rdp connections, other people involved, their mails, malware on the disc, and some additional info about incident on disc…
- 15. Finding all partitions with disk internal partition recovery
- 16. Gathering system info • Recovering files from WindowsSystem32config – System, Software, Security, Sam, • Recovering NTUSER.dat from Users[username] • Downloading MiTec Windows Registry Recovery(www.mitec.cz/wrr.html) • Obtaining system info
- 17. searching malware • - autoruns • - %temp% • - %windir% or %systemdir% • - java cache • - downloads :) so on
- 18. Malware Analysis • fast way - monitors: - procmon - wireshark - total uninstall • my way: - hiew + ida
- 19. Anna's case. Found malware: • Mipko keylogger (already in AV’s bases) • KIS quarantined file • xls.exe (drops xls+rdptool+installer) it's enough to do bad stuff
- 20. Dropper.xls .exe
- 21. So now we have Windows 7 Ultimate Product ID: 00426-OEM-8992662-00400 KEY: 342DG-6YJR8-X92GV-V7DCV-P4K27 Version: Multiprocessor Free 6.1.7601.win7sp1_gdr.120330-1504 install date: 12.04.2013 17:09:15 With users :
- 22. Finding autorun with WRR
- 23. Secret key storage Recovering files and installing GNU4WIN on VM. Placing recovered files in the same folder on VM Opening Kleopatra
- 25. We need to find TC passwd and check on this secret file. Possible way is to look for keylooger and dig for logs or screens
- 27. Keylogger’s log
- 28. TC cracked
- 29. What we have? • System was compromise • Attackers obtained all passwd and key files to perform crime • Anna will be ok. Don’t worry.