Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
This document provides an overview of analyzing the Windows NTFS file system for digital forensics investigations. It discusses the Master File Table (MFT) structure, how it tracks file metadata including timestamps, and how to recover deleted files. Tools for examining the MFT such as Velociraptor and WinHex are presented. Other Windows artifacts covered include Prefetch files, event logs, scheduled tasks, and volume shadow copies. The document provides technical details on these elements to help explain how Windows tracks files and how this data can be used for investigations.
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Network topologies describe the layout of connections between devices in a network. The main types are ring, star, bus, mesh, tree, and hybrid. Ring topology uses a closed loop connection where data passes through each node sequentially. Bus topology connects all devices to a single cable. Star topology connects all devices to a central node. Mesh topology connects each device to every other device. Tree topology branches out from a root node.
1) The document provides guidance on developing leads during an incident response investigation. It discusses how to turn initial leads into indicators that can help detect ongoing or future attacks.
2) It covers creating both host-based indicators like file hashes and network indicators like DNS queries. Care must be taken to balance specificity and accuracy to minimize false positives.
3) Testing indicators on a sample of systems is recommended to ensure they only flag actually compromised machines and do not disrupt the environment. Resolving internal and external leads may involve documentation, avoiding leading questions, or legal options like subpoenas.
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
This document discusses administrative security controls and incident response management. It covers topics such as least privilege, separation of duties, privilege monitoring, forensic data collection and analysis, incident response phases including preparation, detection, response, and recovery, and continuity planning including backup strategies, fault tolerance, and disaster recovery processes. The goal of these controls and plans is to mitigate risks from both internal and external threats and ensure business continuity even during disruptive events.
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
This document provides an overview of analyzing the Windows NTFS file system for digital forensics investigations. It discusses the Master File Table (MFT) structure, how it tracks file metadata including timestamps, and how to recover deleted files. Tools for examining the MFT such as Velociraptor and WinHex are presented. Other Windows artifacts covered include Prefetch files, event logs, scheduled tasks, and volume shadow copies. The document provides technical details on these elements to help explain how Windows tracks files and how this data can be used for investigations.
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Network topologies describe the layout of connections between devices in a network. The main types are ring, star, bus, mesh, tree, and hybrid. Ring topology uses a closed loop connection where data passes through each node sequentially. Bus topology connects all devices to a single cable. Star topology connects all devices to a central node. Mesh topology connects each device to every other device. Tree topology branches out from a root node.
1) The document provides guidance on developing leads during an incident response investigation. It discusses how to turn initial leads into indicators that can help detect ongoing or future attacks.
2) It covers creating both host-based indicators like file hashes and network indicators like DNS queries. Care must be taken to balance specificity and accuracy to minimize false positives.
3) Testing indicators on a sample of systems is recommended to ensure they only flag actually compromised machines and do not disrupt the environment. Resolving internal and external leads may involve documentation, avoiding leading questions, or legal options like subpoenas.
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
This document discusses administrative security controls and incident response management. It covers topics such as least privilege, separation of duties, privilege monitoring, forensic data collection and analysis, incident response phases including preparation, detection, response, and recovery, and continuity planning including backup strategies, fault tolerance, and disaster recovery processes. The goal of these controls and plans is to mitigate risks from both internal and external threats and ensure business continuity even during disruptive events.
The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
The document discusses various aspects of secure software development lifecycles (SDLC). It covers quality factors, reasons for lack of security, and the typical 5 phases of SDLC - requirements gathering, design, development, testing/validation, and release/maintenance. It then provides more details on requirements gathering, design, development, and testing phases. Finally, it discusses different SDLC models, programming languages, concepts, and distributed computing standards.
How to Build an Insider Threat Program in 30 Minutes ObserveIT
People are the core of your business, but they are also responsible for 90% of security incidents. There is no patch for people. To reduce the likelihood of insider threats, you need the right people, process and technology to make it happen.
Join our upcoming webinar and learn how to own the insider threat program at your company.
After this webinar you’ll know:
Terminology – what are the buzzwords (Insider Threat)
People – who needs to be involved to make it happen (exec team, legal, HR, etc.)
Process – how do you operationalize an insider threat program
Technology— how Insider Threat Management solutions work (ObserveIT)
About the speaker:
Jim Henderson is the CEO of TopSecretProtection.com and InsiderThreatDefense.com. Jim is a renowned Insider Threat Defense Program Training (ITDP) Course Instructor and has 15 years of hands-on experience developing successful Counterespionage-Insider Threat Defense Programs.
This document provides an overview of cryptography for computer networks. It discusses the basics of encryption including classical ciphers like the Caesar cipher and Vigenere cipher. It also covers perfect encryption using the one-time pad, encryption security models, asymmetric encryption, and how ciphers can be used for more than just encryption like authenticated encryption and format-preserving encryption. It concludes by discussing how implementations can sometimes go wrong if a weak cipher is used or the security model is incorrect.
Windows 7 introduced significant changes to event logging, including a new .evtx file format, over 100 additional event logs, and new security event numbering. Event logs provide system, security, and application events but can be noisy on their own; they are best analyzed in conjunction with other evidence to identify potentially important events. Proper collection and reconstruction of event logs on the analyst's system is important to ensure all message details are available.
The document discusses NTFS forensics and the structure of the NTFS file system. Some key points:
1) NTFS stores metadata about files and folders in the Master File Table ($MFT) using file records and attributes like $FILE_NAME and $DATA.
2) Files can be recovered by finding their data runs stored in the $MFT entry and reading the data from disk.
3) Additional forensic artifacts can be found in hidden internal files like $USNJRNL, $LogFile, and $Bitmap that contain metadata about file operations and deletions.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
This document provides an overview of identity and access management topics including authentication methods, password types, password hashing and cracking techniques, multifactor authentication, biometric systems, access control technologies like single sign-on and Kerberos, and identity management services. The key points covered are the four types of authentication (something you know, have, are, or where you are), methods for static, one-time, and dynamic passwords, password hashing and cracking attacks, and centralized vs decentralized access control systems.
The document discusses two cyber threats that existed in Morocco:
1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco.
2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized.
The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
This document summarizes information about the Windows Registry including its structure, tools used to access it, locations of hive files, and types of evidence that can be extracted including search history, recent documents, dialog boxes used, commands executed, and software/OS versions. It explains registry hives like HKEY_LOCAL_MACHINE, keys with MRU lists that track recently used items, and how timestamps and MRU lists can help determine the order and time of user activity on a system.
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
The document discusses various aspects of secure software development lifecycles (SDLC). It covers quality factors, reasons for lack of security, and the typical 5 phases of SDLC - requirements gathering, design, development, testing/validation, and release/maintenance. It then provides more details on requirements gathering, design, development, and testing phases. Finally, it discusses different SDLC models, programming languages, concepts, and distributed computing standards.
How to Build an Insider Threat Program in 30 Minutes ObserveIT
People are the core of your business, but they are also responsible for 90% of security incidents. There is no patch for people. To reduce the likelihood of insider threats, you need the right people, process and technology to make it happen.
Join our upcoming webinar and learn how to own the insider threat program at your company.
After this webinar you’ll know:
Terminology – what are the buzzwords (Insider Threat)
People – who needs to be involved to make it happen (exec team, legal, HR, etc.)
Process – how do you operationalize an insider threat program
Technology— how Insider Threat Management solutions work (ObserveIT)
About the speaker:
Jim Henderson is the CEO of TopSecretProtection.com and InsiderThreatDefense.com. Jim is a renowned Insider Threat Defense Program Training (ITDP) Course Instructor and has 15 years of hands-on experience developing successful Counterespionage-Insider Threat Defense Programs.
This document provides an overview of cryptography for computer networks. It discusses the basics of encryption including classical ciphers like the Caesar cipher and Vigenere cipher. It also covers perfect encryption using the one-time pad, encryption security models, asymmetric encryption, and how ciphers can be used for more than just encryption like authenticated encryption and format-preserving encryption. It concludes by discussing how implementations can sometimes go wrong if a weak cipher is used or the security model is incorrect.
Windows 7 introduced significant changes to event logging, including a new .evtx file format, over 100 additional event logs, and new security event numbering. Event logs provide system, security, and application events but can be noisy on their own; they are best analyzed in conjunction with other evidence to identify potentially important events. Proper collection and reconstruction of event logs on the analyst's system is important to ensure all message details are available.
The document discusses NTFS forensics and the structure of the NTFS file system. Some key points:
1) NTFS stores metadata about files and folders in the Master File Table ($MFT) using file records and attributes like $FILE_NAME and $DATA.
2) Files can be recovered by finding their data runs stored in the $MFT entry and reading the data from disk.
3) Additional forensic artifacts can be found in hidden internal files like $USNJRNL, $LogFile, and $Bitmap that contain metadata about file operations and deletions.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
This document provides an overview of identity and access management topics including authentication methods, password types, password hashing and cracking techniques, multifactor authentication, biometric systems, access control technologies like single sign-on and Kerberos, and identity management services. The key points covered are the four types of authentication (something you know, have, are, or where you are), methods for static, one-time, and dynamic passwords, password hashing and cracking attacks, and centralized vs decentralized access control systems.
The document discusses two cyber threats that existed in Morocco:
1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco.
2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized.
The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
This document summarizes information about the Windows Registry including its structure, tools used to access it, locations of hive files, and types of evidence that can be extracted including search history, recent documents, dialog boxes used, commands executed, and software/OS versions. It explains registry hives like HKEY_LOCAL_MACHINE, keys with MRU lists that track recently used items, and how timestamps and MRU lists can help determine the order and time of user activity on a system.
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
This document discusses securing web applications. It describes how modern web apps allow two-way information flow and user login/content submission, which introduces security risks if user input is not properly validated. It emphasizes that the core security problem is that users can submit arbitrary input, and outlines common attacks like modifying prices or session tokens. The document then covers core defense mechanisms like authentication, session management, access control, input validation at boundaries, and handling errors and attacks through logging, alerts and responses.
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
This document discusses common vulnerabilities in access controls for web applications and best practices for securing them. It covers different types of privilege escalation like vertical, horizontal, and context-dependent escalation. It also discusses vulnerabilities like unprotected functionality that can be accessed without authentication, identifier-based functions where access is based on predictable IDs, and multistage functions where access is not re-validated at each step. The document provides recommendations for testing access controls and securing them through measures like centralizing control checks and restricting access based on sessions rather than request parameters.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
Request forgery techniques like on-site request forgery (OSRF) and cross-site request forgery (CSRF) allow attackers to trick a user's browser into making requests without the user's consent. OSRF uses stored XSS to inject links that trigger requests when clicked, while CSRF embeds requests directly on malicious sites. Defenses include anti-CSRF tokens and preventing sensitive actions via GET. The same-origin policy does not fully prevent cross-domain data theft using techniques like JavaScript hijacking, Flash, and relaxed HTML5 CORS policies.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This document provides an overview of Windows file systems and how they are used for digital forensics investigations. It discusses the File Allocation Table (FAT) file system and how it tracks file clusters. It also describes the New Technology File System (NTFS) and how it stores file metadata and tracks unused data clusters. The document outlines how file deletion, renaming and moving works in Windows, and artifacts that can be recovered from deleted files. It identifies several useful file types for forensic analysis, like shortcut files, the Recycle Bin, print spool files and registry keys.
System event logs, application logs, and other log files chronicle system events and can help with timeline reconstruction. Windows event logs are stored in XML or binary format and contain details like event type, date/time, and process information. Other useful logs include Prefetch files, scheduled tasks, recycle bin contents, hibernation files, and application-specific logs. Thoroughly investigating log files is important for finding relevant details in an investigation.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Windows Forensics- Introduction and AnalysisDon Caeiro
This document provides an overview of file systems and disk structures relevant to computer forensics investigations. It discusses key components of file allocation tables (FAT) and file systems like FAT12, FAT16 and FAT32. It also covers the New Technology File System (NTFS) used in Windows, including the master file table and how files are stored as either resident or non-resident attributes. The document also examines disk partitioning, the master boot record, and startup processes for Windows, MS-DOS, and other operating systems. Understanding these fundamental concepts is important when acquiring or analyzing data from a suspect's computer.
This document provides an overview of file I/O and systems programming in UNIX. It discusses file descriptors, opening and accessing files, file permissions, file systems, linking and renaming files, and password files. The key points covered are:
- Files are accessed using file descriptors rather than FILE objects.
- Common file access functions include open(), close(), read(), write(), and lseek().
- Each open file has a v-node containing metadata and pointers to functions for that file type.
- File permissions are checked against a process's effective user and group IDs.
- Directories map filenames to inodes, which contain file metadata and data block pointers.
- Functions for file manipulation include link(), unlink
Windows XP is a 32-bit, preemptive multitasking operating system that was the most widely used OS at the time. It has a layered architecture with a microkernel at its core providing basic services, and various user-mode subsystems that emulate other operating systems. Its design focuses on extensibility, portability, reliability, compatibility, and performance. It uses a file system called NTFS that supports advanced features like security and recovery through transaction logging.
Course 102: Lecture 27: FileSystems in Linux (Part 2)Ahmed El-Arabawy
This lecture goes through the different types of Filesystems and some commands that are used with filesystems. It introduces the filesystems ext2/3/4 , JFFS2, cramfs, ramfs, tmpfs, and NFS.
Video for this lecture on youtube:
http://www.youtube.com/watch?v=XPtPsc6uaKY
Check the other Lectures and courses in
http://Linux4EnbeddedSystems.com
or Follow our Facebook Group at
- Facebook: @LinuxforEmbeddedSystems
Lecturer Profile:
Ahmed ElArabawy
- https://www.linkedin.com/in/ahmedelarabawy
The document discusses the UNIX file system. It describes how the file system is organized in a tree structure that can be arbitrarily deep. Files include regular files, directories, device files, UNIX domain sockets, and named pipes. File permissions are managed through permission bits and special flags like setuid and setgid. Inodes store metadata about files like timestamps, ownership, and size. The file system is mounted to map directories to storage resources and unmounted to detach them.
This document provides information about a PowerShell presentation titled "Powering up on PowerShell". It includes the wireless network credentials to access the demo environment, a link to demo files, an agenda for the presentation topics, and a brief biography of the presenter. Some of the topics to be covered in the presentation include moving around the file system and registry, hashing, data storage techniques, custom event logging, WinRM logging, port scanning, and achieving persistence through PowerShell profiles.
This document summarizes key concepts related to I/O structure in operating systems, including disk structure, disk scheduling, disk management, and swap-space management. It discusses how disks are logically addressed and mapped to physical sectors. It also describes different disk scheduling algorithms like SSTF, SCAN, C-SCAN and factors that influence algorithm selection. The document outlines the processes involved in low-level formatting, logical formatting, and handling bad blocks. It concludes with an overview of swap-space management in various operating systems.
The document discusses Linux file systems and partitioning. It describes how to use the fdisk command to view and create partitions, and supported local file systems like Ext2, Ext3, Vfat, and ISO9660. It provides details on Ext3 file system structure, creation, conversion from Ext2, and tools like dumpe2fs, fsck, and tune2fs. It also covers mounting file systems using mount, automatic mounting from /etc/fstab, and unmounting file systems with umount.
Windows 7 introduces several changes from previous versions of Windows that are relevant to digital forensics. These include updated formats for BitLocker encryption that may not be readable by older forensic tools, new artifacts in the search index, prefetch and jump list files, and changes to how volume shadow copies store differential backups of file systems. Windows 7 also expands the use of virtualization for things like the registry and user folders, creating additional locations that must be examined during an investigation.
This document provides information about DHCP and DNS logging. It discusses:
- Microsoft DHCP logs location and format, with limitations like one week retention
- ISC DHCP logs to syslog and examples of log entries
- DNS logging using DNSCAP or network packet captures
- Microsoft and ISC BIND DNS logging configurations and limitations
It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.
CNIT 152 12. Investigating Windows Systems (Part 3)Sam Bowne
This document discusses various artifacts left on Windows systems after interactive user sessions or malware infections that can be investigated during an incident response. These include LNK files, jump lists, the recycle bin, memory forensics evidence like handles and process injection artifacts, and alternative persistence mechanisms like startup folders, scheduled tasks, and DLL hijacking. Memory analysis tools like Volatility are also mentioned for parsing memory artifacts like process injection and hooks left by malware.
Similar to CNIT 121: 12 Investigating Windows Systems (Part 1 of 3) (20)
The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.
- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions.
- Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers.
- Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.
This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.
The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.
This document provides an overview of analyzing iOS apps, including jailbreaking mobile devices. It discusses iOS security features like code signing and sandboxing. It explains how to set up a test environment for analyzing apps by jailbreaking a device and using Unix tools. Key files like property lists and databases that can be explored are also outlined.
This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.
This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.
This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes:
1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag.
2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication.
3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer.
4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.
This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.
This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.
The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.
Block ciphers like AES encrypt data in fixed-size blocks and use cryptographic keys and rounds of processing to encrypt the data securely. AES is the current standard, using 128-bit blocks and keys of 128, 192, or 256 bits. Modes of operation like ECB, CBC, CTR are used to handle full messages. ECB is insecure as identical plaintext blocks produce identical ciphertext, while CBC and CTR provide security if nonces and IVs are not reused. Implementation details like padding and side channels must be handled carefully to prevent attacks.
The document summarizes key aspects of the security model for Android applications. It discusses code signing with digital certificates, the permission model and levels of permission protection, the application sandbox design, and filesystem encryption. It also notes some limitations, such as vulnerabilities in code signing, ways for malicious apps to obtain permissions, and that encryption only protects data at rest and not during execution.
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
4. NTFS and FAT
• FAT was the old file system used by MS-DOS,
Windows 95, Windows 98
• NTFS was the replacement
5. Master File Table
(MFT)
• Defines how disk space is allocated and
utilized
• How files are created and deleted
• How metadata is stored and updates
6. MFT Contents
• Primary source of metadata in NTFS
• Contains or references everything about a file
• Timestamps
• Size
• Attributes (such as permissions)
• Parent directory
• Contents
7. The Evidence
• Each NTFS volume has its own MFT
• Stored in the volume root as a file named $MFT
• You need raw disk access to acquire $MFT
• It's not accessible through Windows Explorer
or standard API calls
8. MFT Structure
• On a standard hard drive with 512-byte
sectors
• A series of 1024-byte records or "entries"
• One for each file and directory on a volume
• First 16 entries are reserved for essential
NTFS artifacts
• $MFT itself, $LogFile, and more
10. MFT Entry Contents
• Record type (file or directory)
• Record # (integer)
• Parent record #
• Active/Inactive flag
• Deleted files are inactive
• Attributes (metadata)
12. Deleted Files
• Deleting a file causes its MFT record to be marked
"inactive"
• Nothing else is changed, until this record is re-used
• The file's contents and its metadata can be
recovered
• But NTFS will always re-use an existing MFT entry
before creating a new one
• So inactive entries only last for seconds or minutes
on the operating system volume
13. Timestamps
• MACE timestamps
• Modified, Accessed, Created, Entry Modified
• An MFT entry will always have at least two sets
of attributes containing MACE timestamps
• STANDARD_INFORMATION (also known as
$SIA or $SI)
• FileName (also known as FNA, FILE_NAME,
or $FN)
14. •These are Standard
Information ($SI)
timestamps
•Created
•Accessed
•Modified
•Entry Modified
timestamp not
visible in Windows
Explorer
•Forensic tools like
SleuthKit, EnCase,
and FTK show it
16. Accessed Timestamp
• Versions of Windows after Windows XP no
longer update the Accessed timestamp by
default
• It can be enabled with a registry change, but
even when it's enabled, NTFS may delay
updates by up to an hour
• Link Ch 12a
17. $FN Timestamps
• Refer to the MFT entry for the filename itself
• NTFS actually maintains multiple sets of file
name attributes
• Full, case-sensitive long filename
• MS-DOS 8.3 short file name
18. Time-Stomping
• Only the $SI timestamps are available to user
applications through the Windows API
• Programs can only alter those timestamps
• A processes called "time-stomping"
• Setmace can alter all the timestamps (link Ch 12b)
• Malware droppers and installers often automate
this process, inserting timestamps from system
files to hide in the timeline
19. $SI and $FN Timestamps
• $SI timestamps are easily altered
• $FN timestamps require a complex and indirect
process to modify
• Inconsistencies may remain between the $SI
and $FN timestamps
22. Data Runs
• $DATA attribute lists all clusters with the file's
contents
• May not be contiguous (fragmented file)
• Lists "data runs" that must be assembled
together to get the complete file
23. Resident Data
• MFT entry contains 1024 bytes
• That's enough room to store complete data for
small files (up to 700 or 800 bytes) in the MFT
• These are called "Resident files"
• Set the Resident flag in the MFT entry
24. MFT Slack Space
• MFT may contain leftovers from previously
resident data
• This happens if a file was small enough to be
resident and then expanded to be too large to
remain resident
25. Alternate Data Streams
• Additional named $DATA attributes in a file's
MFT entry
• Each can point to an unique set of cluster runs
• All the data streams share the same Standard
Information and Filename attributes
• So they all share the same timestamps
26.
27. Known Alternate Stream
Names
• Browsers append a stream to downloaded files
• Named Zone.Identifier
• Windows Explorer uses this data to determine
the origin of a file and enforce security controls
on it
• Link Ch 12c
31. INDX Attributes
• Used to make file searches faster
• Often contains metadata from deleted files
• Links Ch 12h, 12i
32.
33. Change Logs
• $LogFile tracks all transactions that change the
structure of a volume
• File or directory creation/copy/delete
• Changes to file metadata or INDX records
• $UsnJrnl (Update Sequence Number) journal
• Tracks less data but has a longer history
34. Volume Shadow Copies
• Automatically created backup of Windows files
• Manage with the vssadmin and mklink
command-line tools (link Ch 12k)
35.
36. Shadow Copy
• A mirror of the volume's entire file system at the
time of the snapshot
• Available within the linked directory
• Other tools:
37. File System Redirector
• Windows 32-bit on Windows 64-bit (WoW64)
• Redirects some folders elsewhere when 32-bit
programs run on 64-bit Windows, like
• %SYSTEMROOT%system32 redirects to
C:WindowsSysWOW64
• 32-bit tools may not see the whole file system
39. C:WindowsPrefetch
Contains
• NTOSBOOT-BooDFAAD.pf (system boot
prefetch) -- only file existing on Windows Server
by default
• Layout.ini (for disk defragmenter)
• Appname-########.pf (up to 128 application-
specific prefetch files)
40. Value
• A record of programs executed on a system
• Even if the executable has been deleted
• Shows when application was first run, when it
most recently ran, and how many times it was
run
• Also shows each component loaded
44. Types of Logs
• Core event logs in all Windows versions
• Application
• Errors and info from apps; antivirus and host-
based IPS logs
• System
• Events from core Windows services; changes in
time, driver loads, network configuration issues
• Security
• Login and logoff attempts, changes to audit
policy
45. Acquiring Logs
• Log file locations are specified in this Registry
key: HKLMSYSTEMCurrentControlSetServices
Eventlog
• For Vista and later, the logs are in these XML
files:
46. Applications and Services
Logs
• EVTX files in %SYSTEMROOT%
System32WinevtLogs
• Logs for Task scheduler, Windows Firewall,
AppLocker, Terminal Services, User Access
Control
47. Event ID
• Each event is labelled with its Source and Event
ID number
• Good resource: eventid.net
• Vista and later often have EventIDs that are 4096
larger than the EventID from Windows XP
51. Lateral Movement
• Attackers use stolen credentials to move from
system to system
• Often use a common administrator account
• Or a domain or domain administrator account
56. Process Auditing
• Not on by default
• Turn it on in local audit policy or Group Policy
• Puts an event in the Security log every time a
process is executed or terminated
• Generates a lot of log events
57. Service Events
• System logs record every time a service starts
or stops
• A common persistence mechanism for malware
59. Suspicious Things
• Abnormal usernames using PsExec
• Known-bad service names
• Errors from malicious binaries that were
deleted, but still referenced by a service
60. Log Analysis Tips
• Check Application log for AV alert during period
of interest
• Increase log file sizes to retain a longer history
• If log files in the old binary format are corrupt,
use FixEVT (link Ch 12m)
65. .job Files
• Configuration data for scheduled tasks
• One file per task
• In %SYSTEMROOT%Tasks
• Files persist until shutdown or reboot of system
66. Task Scheduler Logs
• %SYSTEMROOT%TasksSchedLgU.txt
• Records start time and completion of tasks
• Also Event Logs, including
• Microsoft-Windows-TaskScheduler
%4Operational.evtx
• Security log