Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152 12. Investigating Windows Systems (Part 3)Sam Bowne
This document discusses various artifacts left on Windows systems after interactive user sessions or malware infections that can be investigated during an incident response. These include LNK files, jump lists, the recycle bin, memory forensics evidence like handles and process injection artifacts, and alternative persistence mechanisms like startup folders, scheduled tasks, and DLL hijacking. Memory analysis tools like Volatility are also mentioned for parsing memory artifacts like process injection and hooks left by malware.
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
The document summarizes two real-world incident response cases. The first case involved a 10-month attack where an attacker exploited an SQL injection vulnerability and eventually stole millions of payment card records over three months. The second case describes a spear phishing email that installed malware, allowing the attacker to compromise VPN credentials and steal sensitive engineering data over several weeks until a SIEM detected anomalous VPN access patterns. Both cases resulted in comprehensive incident response and remediation efforts.
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152 12. Investigating Windows Systems (Part 3)Sam Bowne
This document discusses various artifacts left on Windows systems after interactive user sessions or malware infections that can be investigated during an incident response. These include LNK files, jump lists, the recycle bin, memory forensics evidence like handles and process injection artifacts, and alternative persistence mechanisms like startup folders, scheduled tasks, and DLL hijacking. Memory analysis tools like Volatility are also mentioned for parsing memory artifacts like process injection and hooks left by malware.
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
The document summarizes two real-world incident response cases. The first case involved a 10-month attack where an attacker exploited an SQL injection vulnerability and eventually stole millions of payment card records over three months. The second case describes a spear phishing email that installed malware, allowing the attacker to compromise VPN credentials and steal sensitive engineering data over several weeks until a SIEM detected anomalous VPN access patterns. Both cases resulted in comprehensive incident response and remediation efforts.
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses various types of forensic duplication including simple duplication that copies selected data versus forensic duplication that retains every bit on the source drive including deleted files. It covers requirements for forensic duplication including the need to act as admissible evidence. It describes different forensic image formats including complete disk, partition, and logical images and details scenarios for each type. Key aspects of forensic duplication covered include recovering deleted files, non-standard data types, ensuring image integrity with hashes, and traditional duplication methods like using hardware write blockers or live DVDs.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This document provides information about DHCP and DNS logging. It discusses:
- Microsoft DHCP logs location and format, with limitations like one week retention
- ISC DHCP logs to syslog and examples of log entries
- DNS logging using DNSCAP or network packet captures
- Microsoft and ISC BIND DNS logging configurations and limitations
It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
This document discusses live data collection during incident response investigations. It explains that live collection aims to preserve volatile evidence while minimizing disruption. Key points covered include:
- When live response is appropriate to collect data that would otherwise be lost.
- Risks of live response like altering the evidence.
- Factors to consider when selecting a live response tool like acceptance, OS support, configurability, and output understandability.
- What types of data are typically collected, such as current system state, logs, and network connections, versus more invasive options like full RAM captures.
- Best practices like practicing collection first and learning speeds and sizes.
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This document provides an overview of the incident response analysis methodology. It discusses establishing objectives, understanding the situation and resources needed. Leadership is important to define objectives and prevent miscommunication. The analysis should focus on answering realistic questions within the defined scope. All data sources like operating systems, applications, user data, and networks should be understood. Various analysis methods are described like reviewing anomalies, host artifacts, malware analysis, tools, and manual review. The results should be periodically evaluated for progress and completeness in answering questions.
This chapter discusses security engineering concepts including security models, evaluation methods, and secure system design. It covers topics such as the Bell-LaPadula and Biba models, evaluation standards like TCSEC and Common Criteria, secure hardware architectures involving CPUs and memory protection, and virtualization and distributed computing concepts. The chapter aims to explain foundational principles for engineering secure systems and applications.
This document provides information about a PowerShell presentation titled "Powering up on PowerShell". It includes the wireless network credentials to access the demo environment, a link to demo files, an agenda for the presentation topics, and a brief biography of the presenter. Some of the topics to be covered in the presentation include moving around the file system and registry, hashing, data storage techniques, custom event logging, WinRM logging, port scanning, and achieving persistence through PowerShell profiles.
This document provides an overview of PowerShell and discusses various techniques for using PowerShell, including: moving around the filesystem and accessing system components; hashing files; storing data in alternate locations like the registry, Active Directory, and event logs; creating custom event logs; enabling remote management (WinRM) and logging; port scanning; and achieving persistence through PowerShell profiles. The speaker is an experienced cybersecurity professional and PowerShell enthusiast who develops tools and teaches classes related to PowerShell.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses various types of forensic duplication including simple duplication that copies selected data versus forensic duplication that retains every bit on the source drive including deleted files. It covers requirements for forensic duplication including the need to act as admissible evidence. It describes different forensic image formats including complete disk, partition, and logical images and details scenarios for each type. Key aspects of forensic duplication covered include recovering deleted files, non-standard data types, ensuring image integrity with hashes, and traditional duplication methods like using hardware write blockers or live DVDs.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This document provides information about DHCP and DNS logging. It discusses:
- Microsoft DHCP logs location and format, with limitations like one week retention
- ISC DHCP logs to syslog and examples of log entries
- DNS logging using DNSCAP or network packet captures
- Microsoft and ISC BIND DNS logging configurations and limitations
It recommends searching DHCP logs by IP address or MAC address to identify devices, and DNS logs to see domains visited and querying IPs. The document also notes attackers may change IP addresses, and malware may strip version information to evade detection.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
This document discusses live data collection during incident response investigations. It explains that live collection aims to preserve volatile evidence while minimizing disruption. Key points covered include:
- When live response is appropriate to collect data that would otherwise be lost.
- Risks of live response like altering the evidence.
- Factors to consider when selecting a live response tool like acceptance, OS support, configurability, and output understandability.
- What types of data are typically collected, such as current system state, logs, and network connections, versus more invasive options like full RAM captures.
- Best practices like practicing collection first and learning speeds and sizes.
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This document provides an overview of the incident response analysis methodology. It discusses establishing objectives, understanding the situation and resources needed. Leadership is important to define objectives and prevent miscommunication. The analysis should focus on answering realistic questions within the defined scope. All data sources like operating systems, applications, user data, and networks should be understood. Various analysis methods are described like reviewing anomalies, host artifacts, malware analysis, tools, and manual review. The results should be periodically evaluated for progress and completeness in answering questions.
This chapter discusses security engineering concepts including security models, evaluation methods, and secure system design. It covers topics such as the Bell-LaPadula and Biba models, evaluation standards like TCSEC and Common Criteria, secure hardware architectures involving CPUs and memory protection, and virtualization and distributed computing concepts. The chapter aims to explain foundational principles for engineering secure systems and applications.
This document provides information about a PowerShell presentation titled "Powering up on PowerShell". It includes the wireless network credentials to access the demo environment, a link to demo files, an agenda for the presentation topics, and a brief biography of the presenter. Some of the topics to be covered in the presentation include moving around the file system and registry, hashing, data storage techniques, custom event logging, WinRM logging, port scanning, and achieving persistence through PowerShell profiles.
This document provides an overview of PowerShell and discusses various techniques for using PowerShell, including: moving around the filesystem and accessing system components; hashing files; storing data in alternate locations like the registry, Active Directory, and event logs; creating custom event logs; enabling remote management (WinRM) and logging; port scanning; and achieving persistence through PowerShell profiles. The speaker is an experienced cybersecurity professional and PowerShell enthusiast who develops tools and teaches classes related to PowerShell.
This document summarizes a PowerShell presentation given at Bsides Greenville 2019. It provides wireless network credentials, links to PowerShell cheat sheets and demos, and lists the speaker's background and experience with PowerShell. The presentation agenda covers topics like moving around the file system, hashing, data storage, custom event logs, WinRM logging, port scanning, and persistence through profiles.
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
Fiddler is a free web debugging proxy that monitors and manipulates HTTP/HTTPS traffic between a computer and the Internet. It can inspect traffic, set breakpoints, and modify requests and responses. Fiddler functions as a reverse proxy by capturing and reconstructing messages passing through it. This allows developers to debug web applications, analyze performance issues, and test servers. It supports common protocols and can debug services running as Windows services. Fiddler is extensible through scripting and has use cases for traffic inspection, performance analysis, debugging, and testing.
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuNETWAYS
The Beats are a friendly army of lightweight agents that installed on your servers capture operational data and ship it to Elasticsearch for analysis. They are open source, written in Golang, and maintained by Elastic, the company behind Elasticsearch, Logstash, and Kibana.
This talk will present the first three Beats: Topbeat for system level metrics, Filebeat for log files and Packetbeat for wire data. It will also demonstrate how to combine them with Logstash and Kibana in one advanced monitoring solution, unifying log management, metrics monitoring and system stats. Finally, you will learn how to create a new Beat from scratch using Golang and the libbeat framework to capture any type of information and ship it to Elasticsearch.
System event logs, application logs, and other log files chronicle system events and can help with timeline reconstruction. Windows event logs are stored in XML or binary format and contain details like event type, date/time, and process information. Other useful logs include Prefetch files, scheduled tasks, recycle bin contents, hibernation files, and application-specific logs. Thoroughly investigating log files is important for finding relevant details in an investigation.
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
Firmware analysis often involves searching firmware images for known file headers and file systems like SquashFS to extract contained files. Automated binary analysis tools like binwalk can help extract files from images. HTTP interfaces are common targets for security testing since they are often exposed without authentication. Testing may uncover vulnerabilities like XSS, CSRF, SQLi or command injection. Wireless interfaces also require testing to check for issues like weak encryption or exposure of credentials in cleartext.
This document summarizes several security analysis tools, including CACLS for modifying access control lists in Windows, NSLOOKUP for resolving domain names to IP addresses, Traceroute/tracert for tracing the network path between hosts, Ping for checking network connectivity, and WS-Ping which combines tools like Ping, Traceroute, network scanning, and information gathering. It also discusses SATAN and Nessus, which are vulnerability scanners that detect potential security issues by analyzing network configurations and services without exploiting any vulnerabilities.
Web server hardening involves securing Apache and IIS web servers through configuration changes and access restrictions. For Apache, this includes removing default files, hiding version numbers, securing modules, and restricting file permissions. For IIS, hardening involves disabling unnecessary services and accounts, auditing logs, restricting shares/ports, and securing script mappings, filters and the metabase. The goal is to limit vulnerabilities like profiling, DoS attacks and unauthorized access.
Windows processes contain executable code and resources like memory. Processes start threads to perform tasks concurrently. Threads are lighter weight than processes and share process resources. The Windows kernel manages processes, threads, memory and hardware through system calls.
Best And Worst Practices Deploying IBM ConnectionsLetsConnect
Depending on deployment size, operating system and security considerations you have different options to configure IBM Connections. This session will show examples from multiple customer deployments of IBM Connections. I will describe things I found and how you can optimize your systems. Main topics include; simple (documented) tasks that should be applied, missing documentation, automated user synchronization, TDI solutions and user synchronization, performance tuning, security optimizing and planning Single Sign On
This document provides an overview of the PMIx reference implementation and server initialization process. It describes the different process types in PMIx including clients, servers, and tools. It details the functions and options used to initialize a PMIx server, including specifying the server type and setting up structures. It also outlines the various functions that can be implemented in the server's backend module to provide host-level services and interactions with non-PMIx systems.
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
This document provides an overview of analyzing the Windows NTFS file system for digital forensics investigations. It discusses the Master File Table (MFT) structure, how it tracks file metadata including timestamps, and how to recover deleted files. Tools for examining the MFT such as Velociraptor and WinHex are presented. Other Windows artifacts covered include Prefetch files, event logs, scheduled tasks, and volume shadow copies. The document provides technical details on these elements to help explain how Windows tracks files and how this data can be used for investigations.
This document discusses open source logging and metrics tools. It provides an introduction to customizing logs from common daemons and focuses on log aggregation, parsing, and search. It describes a demo setup using the ELK stack to aggregate and visualize logs and metrics from a Drupal site. The document discusses shipping logs with rsyslog and logstash, and parsing different log formats. It also covers monitoring performance with tools like Graphite and Grafana.
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.
The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.
- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions.
- Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers.
- Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.
This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.
The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.
This document provides an overview of analyzing iOS apps, including jailbreaking mobile devices. It discusses iOS security features like code signing and sandboxing. It explains how to set up a test environment for analyzing apps by jailbreaking a device and using Unix tools. Key files like property lists and databases that can be explored are also outlined.
This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.
This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.
This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes:
1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag.
2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication.
3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer.
4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.
This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.
This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.
The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
Block ciphers like AES encrypt data in fixed-size blocks and use cryptographic keys and rounds of processing to encrypt the data securely. AES is the current standard, using 128-bit blocks and keys of 128, 192, or 256 bits. Modes of operation like ECB, CBC, CTR are used to handle full messages. ECB is insecure as identical plaintext blocks produce identical ciphertext, while CBC and CTR provide security if nonces and IVs are not reused. Implementation details like padding and side channels must be handled carefully to prevent attacks.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
3. DHCP
• Dynamic Host Configuration Protocol
• Assigns IP addresses to devices (with subnet
mask and gateway address)
• Can also configure DNS server address
• Uses UDP port 67 and 68
4. DHCP Lease
• An IP address may change every time the
device reboots
• So DHCP logs are essential to identify devices
from IP addresses
5. DHCP Searches
• Search a date for an IP address
• To find which system had that address when
an alert happened
• Search all dates for a MAC address
• Gets all the IP addresses that system had over
time
6. Microsoft's DHCP Logs
• DHCP Server Role is part of Windows Server
• By default, located at %windir%
System32Dhcp
• A plain comma-delimited text file
• ID, Date, Time, Description, IP Address, Host
Name, MAC Address
• Links Ch 10a, 10b
7. Issues with Microsoft DHCP
• Note: "Time" is local time, not UTC
• Logs only retained for one week
by default
8. ISC DHCP
• Most common on Unix/Linux systems
• Free and open-source
• Logs go to syslog local7
• Links Ch 10c
9. ISC DHCP Log Example
[root@proxy log]# tail -f dhcpd.log
Jan 15 13:49:59 proxy dhcpd: DHCPACK on 192.168.0.23 to
00:80:ad:01:7e:12 (programming) via eth1
Jan 15 13:54:45 proxy dhcpd: DHCPINFORM from
192.168.0.13 via eth1: not authoritative for subnet
192.168.0.0
• Link Ch 10d
11. DNS
• Domain Name System
• Resolves domain names like ccsf.edu to IP
addresses like 147.144.1.212
• DNS logs show every domain visited, the IP
visiting it, and the time
• Malicious servers change IP addresses
frequently
12. ISC BIND
• Berkeley Internet Name Domain
• Logging is off by default; turn it on in
named.conf.local
• Link Ch 10f
14. Network-Level DNS Logging
• Any packet capture utility can do it, such as
tcpdump
• DNSCAP is specialized for DNS capturing
• Can log queries, and/or save a PCAP file
• Link Ch 10g
17. LANDesk's Software
Management Suite
• Software License Monitoring (SLM)
• Tracks execution history of every application
• Date and time the application ran
• File attributes of the executable
• User account that ran it
• Link Ch 10h
18. Attackers
• Attackers often copy hacking tools like
password hash dumpers to a system, run it, and
then delete it
• LANDesk will record this in the SLM monitor
logs (in the Registry)
• Even if the binary has been deleted
20. Parsing the Registry Keys
• SLM Browser
• Doesn't work on exported registry hives
• RegRipper does
• Links Ch 10l, 10m, 10n, 10o
21. What to Look For
• Low "Total Runs"
• Attackers often run a tool once and then
delete it
• Suspicious paths of execution
• Many tools run from the same directory
• Anything running from the Recycle Bin
22. What to Look For
• Timeline Analysis
• Look for rarely used utilities running within a
short time period
• Such as net.exe, net1.exe, cmd.exe, at.exe
• May indicate lateral movement
23. What to Look For
• Suspicious usernames in Current User
• User accounts with a low number of
application runs
• Accounts that shouldn't normally access this
system
• Accounts with elevated privileges, such as
domain administrators
24. What to Look For
• Executables that have been deleted
• This is normal for installers
• Other executables are more suspicious
25. Symantec's Altiris Client
Management Suite
• Optional component for application metering
• Records execution history of applications run
on a system
• Link Ch 10p, 10q
26. Altiris Application Metering
Logs
• Saved as a plain text file, including this
information:
• Manufacturer, version, user
• Discovered (date of first execution)
• And date of last execution
• Run Count and Total Run Time
27. What to Look For
• Executables without version information
• Malware authors often strip this data to hide from
signature-based antivirus
• Identify suspicious executables by file size
• Malware is usually small; < 1 MB
• Attacker may use the same backdoor on multiple
systems, changing only the name, so the size is
the same
29. General Features
• Antivirus doesn't usually detect all programs
• Only the ones recognized as malicious
• Common administrative tools won't be detected
• Also some malicious tools lack a signature, and
won't be detected
• Antivirus logs are useful, but give an incomplete
picture of attacker activities
30. Antivirus Quarantine
• AV encodes malicious files & moves them to a
Quarantine folder
• Files can no longer execute
• Preserves files for incident responders
• Make sure antivirus is set to quarantine files,
not delete them
31. About Archives
• Attackers often use password-protected archive
files
• Antivirus can't open them to scan them
• Often AV will log errors about them
• This is a clue about attacker activity
34. Quarantine Files
• File extension of .vbn
• Two VBN files for each file quarantined
• First: metadata about quarantined file
• Second: Encoded copy of original file
35. Symantec's Encoding
• Older versions: XOR with 0x5A
• Newer versions: XOR with 0xA5 and insert
additional 5-byte sequences throughout the
encoded file
• Symantec's QExtract.exe can extract files from
quarantine
• But only on the system that quarantined the
file
36. To Extract Quarantined Files
• Obtain the correct version of QExtract
• Boot up a forensic image of the affected
system
• OR use pyextract.py (link Ch 10r)
• But it sometimes fails to reconstruct the file
correctly
39. Most Useful
• OnAccessScanLog.txt and
OnDemandScanLog.txt
• Shows files that were quarantined or deleted
• With name of the detected threat
• Also creates events in Event Log
40. McAfee Quarantined Files
• .bup extension, a file with two parts
• "Details" contains metadata
• File-o: The actual quarantined file
• XORed with 0x6A and compressed into OLE
format
• To extract, use 7-Zip
46. Background
• Browsers send HTTP (Hypertext Transfer
Protocol) requests
• GET
• To retrieve a page, image, etc.
• POST
• To send data, like username and password
47. Ports
• HTTP uses TCP port 80 (by default)
• HTTPS uses TCP port 443 (by default)
48. Virtual Hosts
• Many websites running on the same server
• If one is compromised, they may all be affected
49. Log Files on Web Servers
• Stored in plain text
• Summary of each request
• IP of client
• URL requested
• HTTP method
• Result (status code)
51. Load Balancing
• Sends requests to a pool of servers
• Web server logs will have the IP of the load
balancer, not the client
• You need to correlate load balancer logs with Web
server logs
• OR: configure the load balancer to "pass through"
some details about the client
• X-Forwarder-For header field
• Configure Web server to log that header
52. Web Content
• Attackers often alter files on a Web server
• Or upload files, such as webshells and
hacking tools
• They may be plaintext or obfuscated
54. Apache
• Free, open-source
• Usually running on Linux
• Configuration files
• httpd.conf, apache.conf, apache2.conf
• Some directives in .htaccess files
55. Apache Log Files
• access.log and error.log (plain text)
• In a subdirectory of /var/log
• To log X-Forwarder-For headers, add this to
configuration file:
%{X-Forwarded-For}i
56. Content Locations
• /var/www or /var/www/html by default
• Often changed
• Search for ServerRoot and DocumentRoot
directives in configuration files
57. Microsoft's IIS
• Internet Information Services
• Included in Server versions of Windows
• Configured through Control Panel
• Most relevant settings are stored in an XML file
named applicationHost.config
58. IIS Config File
• ID number appears at end of log directory name
• %SystemDrive%
inetpublogsLogFilesW3SVC1
59. IIS Log Files
• Filenames contain date in YYMMDD format
• u_ex140220.log --logs from Feb. 20, 2014
• Advanced Logging places logs in a different
directory
• Logs are plaintext but are encoded with UTF-8
and may include unicode characters
60. Example Log File
• Link Ch 10u
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2011-04-13 19:02:34
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-
query s-port cs-username c-ip cs(User-Agent) sc-status
sc-substatus sc-win32-status time-taken
2012-07-02 15:15:37 XXX.XX.XX.XXX POST /
AjaxWebMethods.aspx/TestWebMethod - 443 -
XXX.XX.XX.XX
Mozilla/5.0+(Windows+NT+5.1;+rv:13.0)+Gecko/
20100101+Firefox/13.0.1 405 0 0 218
62. DB Evidence
• Client connection logs
• Attacker's IP address
• Error logs
• Malformed queries; brute force attacks
• Query logs
• Often not enabled, but would show what the
attacker was trying to access
63. DB Storage
• Data stored in many files
• Sometimes "raw" storage
• Proprietary methods to manage one or more
storage devices at the physical level
• Work with database administrator to deal with
customized databases
• Don't work on a live DB
• You might modify data or even cause a crash
64. Microsoft SQL
• Free version: SQL Server Express
• Configured with Microsoft SQL Server
Management Studio (SSMS)
• MSSQL does not log client connections by
default
• Only failed connections
65. ERRORLOG
• This example logs first an unsuccessful, then a
successful, connection attempt
• Both go into ERRORLOG
66. Query Logging
• MSSQL does not log queries by default
• You can turn on a "server-side-trace"
• But it incurs large processing overhead
67. Preserving DB Evidence
• Forensic image of the drives containing the DB
• Good, but requires taking down the DB server
• Copying DB files: .mdf & .ldf
• Locked; must take down DB to copy them
• Use SMSS to backup or export data
• Alters some evidence, like other live images
69. MySQL Logs
• Commonly in /var/log/mysql
• Only error log enabled by default
• General log is more useful for us, but causes
high logging overhead
70. Example
• General log
• User "root" connected from 192.168.200.2
• Executed this query
• select * from cc_data limit 1
71. Acquiring MySQL Data
• Can use a number of database file storage formats
• Ideal way:
• Shut down server gracefully, image hard disk
• On a running system
• Stop the MySQL service and copy all the files in
the datadir, or
• Backup with mysqldump command without
stopping the service
72. Oracle
• Runs on Windows or Linux
• Expensive
• listener.log
• Details about each client connection
• log.xml
• Alerts
73. Example listener.log
• Successful connection to an Oracle DB
• "Bob" is username on remote system
• Does not indicate success or failure
• Unless auditing is enabled (high performance
impact)