Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This is a presentation I gave at DEF CON 23, in the Packet Hacking Village.
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security Strategies into Action"
Learn from those in the trenches who have deployed effective cyber strategies in their organizations, foiled attacks and managed breach situations. Learn approaches for success and pitfalls to avoid by exploring the experience of others with deployment and management of cyber security strategies and plans.
Learning Objectives:
Identify successes, challenges and lessons learned with implementation of cyber strategies
Identify success strategies for gaining the C Suite support and ways cyber security can be integrated into the organization's culture and work processes.
Identify best practices with anticipating new and emerging threats and ways to maintain a proactive position instead of reactive
Identify approaches for breach preparation and breach management
Featured Speakers:
Neal Ganguly, MBA, FCHIME, FHIMSS, CHCIO
VP & CIO
JFK Health System
Miroslav Belote
Director of IT – Infrastructure and Information Security Officer
JFK Health System
Nassar Nizami
CISO
Yale-New Haven Health System
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
2. Scope
• What did the attacker do?
• Initial detection is usually only part of the story
3. Examining Initial Data
• Look at original alert
• You may notice more than the person who reported
it did
• Ask about other detection systems and review what
they recorded
• Network administrators may not think like
investigators
• Gather context for the detection event
4. Preliminary Evidence
• Determine what sources of preliminary evidence
may help
• Decide which sources you will actually use
• Collect and review the evidence
• Identify sources that are easy to analyze, and
that quickly provide initial answers
6. Indpendent Sources
• Firewall logs don't depend on registry keys, etc.
• Multiple independent exvidence sources lead to
more reliable conclusions
• It's difficult for an attacker to remove or modify
evidence from all sources
• Less likely that a routine process would overwrite
or discard all evidence
• Cross-check information, like date and time
7. Review
• Attacker may be causing more damage
• Test a detection method on one system, or a
small date range of log entries
• Make sure your detection method is fast and
effective
9. Data Loss Scenario
• Large online retailer
• You work in IT security department
• Customers are complaining about spam after
becoming a new customer
10. Finding Something Concrete
• Anecdotal customer complaints are
inconclusive
• Options
• Work with customers and review their email
• Relability and privacy problems
• Create fake customer accounts with unique
email addresses
11. Fake Accounts
• Use 64-character random usernames
• Unlikely that spammers would guess the
usernames
• Monitor those accounts
12. Preliminary Evidence
• Assuming customer data is being lost
somehow:
• Find where customer data is and how it is
managed
• One internal database on production server
• One external database at a third-party marketing
firm
15. Theories & Simple Tests
• Insider
• No easy way to test
• Modified code on website to capture email
addresses
• Enter some fake accounts directly into
database, bypassing the web form
• Someone copying backup tapes
• Add some fake accounts to the backups
16. Two Weeks Later
• Spam comes to the first set of fake accounts
• And to the accounts manually entered into the
database
• Suggests the website is not part of the
problem
• No spam from the accounts on the backup tape
• Backups aren't the source of data loss
17. New Theories
• Direct access to the database
• Malware on the database server
• Accessing it over the network
18. Monitoring Queries
• Network-level packet captures
• Expensive, powerful system required
• If queries are encrypted, or malware is
obfuscating them, it may be hard to decode
the traffic
• Database-level query monitoring and logging
• Most efficient and reliable technique
19. Next Steps
• Create a few more fake accounts
• Talk to database and application administrators
• To find out where data is stored
• Scan through logs to see what is "normal"
• No queries or stored procedures perform a bulk
export of email addresses on a daily basis
20. Two Weeks Later
• New accounts get spam
• Retrieve query logs from time accounts created
to spam time
• For the field "custemail"
• A single query is found
• SELECT custemail FROM custprofile WHERE
signupdate >= "2014-02-16"
21. Query Details
• Feb 17, 2014 at 11:42 am GMT
• Originated from IP in graphics arts dept.
• Query used an database administrator's
username from the IT dept.
• Interview reveals that graphics arts dept. has no
direct interaction with customers, only outside
vendors
25. Results from Workstation
• Examine images, focusing on actions at the time of
the query
• Malware found on workstation
• Persistent, provides remote shell, remote graphical
interface, ability to launch and terminate processes
• Connects to a foreign IP
• Has been installed for two years
• Cannot determine how system was originally
compromised
27. Scoping Gone Wrong
• After complaints from customers
• Search every computer in the company for
unique strings in the customer data,
• And files large enough to include all the
customer records
28. Problems
• No evidence that the stolen data is stored on
company servers
• No evidence that the data is all being stolen at
once in a large file
• And even so, it would probably be
compressed
• Large amount of effort; low chance of success
29. Another Unwise Path
• Focus on insiders
• Who had access and knowledge to steal the
customer data
• Compile profiles of numerous employees
• Review personnel files
• Background checks, surveillance softare
capturing keystrokes and screen images
• Video surveillance installed
30. Problems
• Leads to a "witch hunt"
• Invades privacy of employees
• Large effort, small chance of success
31. Another Unwise Path
• Because the data resides on the database
server
• Image and analyze RAM from the database
server to hunt for malware
• Because the hard drives are massive and too
large to investigate easily
32. Problems
• Once again, they have jumped to a conclusion
• And ignored other possibilities
• Large effort, low chance of success
33. Scenario 2: Automated
Clearing House Fraud
• Bank called the CEO--they blocked an ACH
transfer of $183,642.73
• To an account that was never used before
• Flagged by their fraud prevention system
• Transfer from CFO's account, but he says he
never authorized it
35. Preliminary Evidence
• Firewall
• Two weeks of logs
• Examine this first
• CFO's laptop computer
• Live resonse, RAM, hard drive
• But maybe other computers are involved
36. Firewall Logs
• Look near the time the unauthorized transfer
occurred (4:37 pm)
• See who logged in prior to that
• Two computers logged in via HTTPS, making a
number of connections between 4:10 pm and
4:48 pm
• From two IPs -- one is CFO's, other not
immediately recognized
37. Two Immediate Tasks
• Gather complete forensic evidence from CFO's
computer
• Live response, RAM, and hard disk
• Because evidence is being lost as time
passes
• Track down the other IP address and decide
what action is appropriate
38. DHCP Logs
• Search for the time in question
• Get MAC address from DHCP logs
• It's the MAC of the CFO's laptop!
45. Scoping Gone Wrong
• There are no recent antivirus or IDS alerts
• So you believe the security issue must be at the
bank
• Tell the bank to find the attacker and put them in
jail
46. Problems
• No attempt to validate the bank's original data
• Company assumes that existing network
security measures would detect a problem, if
there was one
• Assumption that a third-party can help you
• While you wait, data on company systems is
lost
47. Another Unwise Path
• CEO believes that security measures are in
place to prevent malware, so the CFO must have
initiated the transfer
• The CEO wants you to investigate the CFO and
avoid tipping him (or her) off
48. Problem
• No security measures are perfect, not even two-
factor authentication
• Also, that sort of investigation is outside your
expertise, and should be referred to an outside
contractor
50. Purpose of Live Collection
• Preserve volatile evidence that will further the
investigation
• Also collect log files and file listings
• Get answers quickly
• Minimize changes to the system
• Avoid disrupting business, causing crashes, or
destroying evidence
53. Altering the Evidence
• All live response changes the system
• Purists don't like it
• But the alternative is to lose all volatile data and
get only a disk image
• You can minimize changes, but not eliminate
them
54. Selecting a Live Response
Tool
• Homegrown Microsoft DOS batch script (or
bash)
• Perl-based script
• There are specialized live-response products,
free and commercial
55. Factors to Consider
• Is the tool generally accepted in the forensic
community?
• Does the solution address the common
operating systems in your environment?
• Tools that use OS commands should contain
known good copies of those commands, not
trust the local commands on the suspect
system
56. Factors to Consider
• Does the solution collect data that is important
to have, in your environment?
• How long does a collection take?
• Recommended: less than an hour per system
• Is the system configurable?
• Is the output easily reviewed and understood?
57. What to Collect
• Current running state of the system
• Network connections
• Running Processes
• What happened in the past
• File listings, system logs
• Usually a higher priority
58. The Deep End
• Some oranizations always collect entire RAM
contents, or hard disk images
• Don't collect data that you can't effectively use
or understand
• Collect data you can really use to quickly
determine the impact of the incident
61. Complete RAM Capture
• Requires specialized tools to collect and
interpret
• Not part of Live Response
• Sometimes needed on carefully chosen systems
62. Collection Best Practices
• Practice on a test system first
• Learn how fast the process is, and how large
the output is
• Practice handling problems
• Broken USB port or NIC
• Locked screen
63. Caution: Malware
• The system you are examining may be infected
with malware
• Any media you connect may become infected
• Any credentials you use may be compromised
67. Horror Stories:
IR Procedures
• Copy live response toolkit to affected systems,
save collected data back to that same system
including full RAM dump, several gigabytes in
size
• Remotely log in with domain administrator
account, run netstat & Task Manager
• Pull out the plug, image the hard drive
68. Good Methods of
Live Response
• Network share on a dedicated file server
• Not part of any domain
• Used throwaway credentials not used for any
other purpose
• Two folders
• Read-only containing the live response toolkit
• Writeable for output from live response toolkit
70. Live Response Tips
• Air-gap for evidence server
• Logging and auditing access to evidence server
• Automate process for consistency
• Live Response software must run as Local
Administrator/root
71. Media
• Some computers cannot connect external media
• Hardware failure, configuration, etc.
• Common options for running toolkit
• CD-ROM, DVD, network share
• Encrypted network streaming tool like
cryptcat or stunnel to send output to another
system
72. Unexpected OS
• Cannot run your normal live response toolkit
• If you can't update or modify your toolkit to run
• Perform manual live response
73. Unexpected OS
• Create a checklist of the automated steps in the
toolkit for a similar OS
• Research command-line options
• Test them on a known clean system, if possible
• Manually perform steps to collect evidence
74. Automation
• Decreases human error
• Makes processes more consistent and faster
• Helps to prevent bad guys from gathering
intelligence about how you respond to incidents
• Anything you do on the evidence system may
be sent to the bad guys
76. Three Main Options
• Use a prebuilt kit (Mandiant Redline)
• Create your own
• Use a hybrid of the two
77. Mandiant Redline
• Install the Redline MSI package on a trusted
workstation
• Create the Redline collector on the trusted
system
• The only step you take on a suspect system is to
run the stand-alone Redline collector batch script
• Automatically saves data to the same location
you ran the script from
78. Do It Yourself
• Make your own live response toolkit
• Decide what OS to support
• Windows has many versions, and big
differences between 32-bit and 64-bit
• Find tools that collect the information you want
79. Windows Built-in Tools
• Copy these files from a
clean Windows system
• Also copy cmd.exe
• "Trusted binaries"
• Don't trust files on the
evidence machine
80. Free Tools
• Use command-line
versions, not GUI
versions
• Easier to script
• Less impact
• Rename every tool so
you can identify it as
something you added
to the system
• Prepend "t_"
81. Other Data Items
• Prefetch information
• System restore point information
• Browser history, and more
• Balance your needs with the impact the
collection has on the system
83. Scripting Tips
• Add logging and compute a checksum of
collected data
• Be careful with file and directory names
• They may be long or include spaces
• Test your script extensively
• Built a test environment that resembles your
production systems
• Watch for errors and unexpected results
84. Memory Collection
• Tools for a full memory dump
• AccessData FTK Imager Lite
• Mandiant Memoryze
• Monsools Windows Memory Toolkit
90. LINReS
• From Network Intelligence India
• Written for RedHat 3 and 4, not updated since
2006
• Useful mainly as an example to guide you in
making a custom tool
91. Do It Yourself
• Really the only option
• Make some scripts
• Mandiant uses Bourne shell scripts that make
scripts for various Unix/Linux versions
• Requires constant maintenance
99. Memory Collection
• The memory device is handled differently in
every version of Unix, BSD, and Linux
• In earlier versions, you could just use dd to
collect RAM through the /dev/mem device
• Direct access to memory os now blocked for
security reasons
• Use LiME – Linux Memory Extractor (link Ch 7c)
100. Loadable Kernel Modules
• LiME is an LKM
• Must be compiled for the exact kernel version
running on the target system
• No ability to include checksums of the output
• You must do that yourself
101. Collection from BSD-Based
Kernels
• Use dc3dd or dcfldd to capture contents of
/dev/mem
• They are like dd but also include checksums
• In recent versions, there's no End Of File mark
in /dev/mem, so you must manually specify how
many bytes to capture
102. Collection from Apple OS X
• Memoryze for Mac (link Ch 7d)
• Mac Memory Reader seems to be gone