For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS - Part 1 describes in detail about determining malicious processes/anomalies running in Windows OS systems. PPT focuses on how to differentiate Rogue processes from legitimate ones, Identifying unknown services, Code injection and Rootkits detection and mitigation, Unusual OS artifacts that would arise suspicion, Anomalies detection using Network activity and in determining evidence of persistence.
Part 2 of this series explains about malware detection checklist to ease investigators in identifying malwares.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
4. Purpose
• The registry contains configuration data for the
Windows operating system and applications
• Many artifacts of great forensic value
5. Hive Files
• Binary files that store the Registry
• Five main registry hives in
%SYSTEMROOT%system32config
• SYSTEM, SECURITY, SOFTWARE, SAM, DEFAULT
• User-specific hive files in each user's profile
directory
• UsersusernameNTUSER.DAT
• UsersusernameAppDataLocalMicrosoftWindo
wsUSRCLASS.DAT
6. Windows Profiles
• Created the first time a user interactively logs
on to a system
• Users who connect over the network don't
create a profile folder
10. Virtual Key Paths
• Dynamically created in a running system
• Not visible on a registry capture
• HKEY_Current_User
• Links to HKEY_USERS{SID}
• HKLMSYSTEMCurrentControlSet
• Links to HKLMSYSTEMControlSetNNN
• HKEY_CLASSES_ROOT
• Merges two subways
11. Registry Timestamps
• Only one: LastWriteTime
• Stored on a key, not value
• Changed when any value under the key is
added, removed, or changed
• But not when subkeys' values are modified
12. Example
• Run key: programs that launch on system startup
• Cannot determine when these three Run items
were added, without other evidence
13. More Limitations
• Windows frequently updates the
LastUpdateTime for large swaths of registry
keys
• During updates, and sometimes even from a
reboot
• Attackers cannot easily change registry
timestamps, although SetRegTime can do this
• Link Ch 12o
14. Registry Reflection and
Redirection
• 64-bit Windows allows 32-bit software to run
• 32-bit programs are redirected by the W0W64
sybsystem to alternate registry keys, like
• HKLMSOFTWAREWoW6432Node
• This means 32-bit forensic software won't see
the whole Registry
17. Basic System Information
• Computer Name
• HKLMSystemCurrentControlSet
ControlComputername
• Windows Version
• HKLMSoftwareMicrosoftWindows NT
CurrentVersion
• Time Zone
• HKLMSystemCurrentControlSet
ControlTimeZoneInformation
18. Basic System Information
• List of Installed Applications
• HKLMSoftwareMicrosoftWindows
CurrentVersionUninstall{Appname}
• Mounted Devices (with drive letters)
• HKLMSystemMountedDevices
19. USBSTOR
• Shows every USB device that has been
connected
• A forensic examiner should look here first, to
find out what other devices should be requested
for discovery, by court order or search warrant
23. Shim Cache
• Also called "Application Compatibility Cache"
• Used to track special compatibility settings for
executable files and scripts
• May include:
• File name, path, and size
• Last modified date
• Whether the file actually ran on the system
24. Shim Cache
• Maintained in memory, written to the registry on
shutdown
• Maintains up to 1024 entries
• More than Prefetch (128)
• includes apps that haven't executed yet
• Next two slides from link Ch 12a
29. Auto-Run Keys
(Auto-Start Extensibility Points)
• Load programs on system boot, user login, and
other conditions
• Commonly used by malware to attain
persistence
• Windows provides hundreds of registry-based
persistence mechanisms
• Some are still undocumented
30. Services
• Most common and widely used persistence
mechanism
• Services run in the background
• Usually under one of these login accounts
• Local System (most powerful)
• Network System
• Local Service
31. Services in the Registry
• Each service has its own subkey under
• HKLMCurrentControlSetservicesservicename
• With this information:
• DisplayName and Description
• ImagePath
• How service starts
• Type of service, such as driver or process
33. Service Control Manager
• Services.exe
• Launches Windows services upon startup
• Command-line "sc" command lets you examine,
start, stop, and create services
38. Active Setup
• Facilitates software installation and updates
• Subkeys named with GUIDs (long random-looking
numbers)
• Malware authors often re-use GUIDs so Googling
them can be useful
• StubPath points to an EXE that will run on startup
39. AppInit_DLLs
• DLLs that will be automatically loaded whenever
a user-mode app linked to user32.dll is
launched
• Almost every app uses user32 to draw
windows, etc. (link Ch 12p)
40. LSA (Local Security
Authority) Packages
• Load on startup
• Intended for authentication packages, but can
be used to launch malware
41. Browser Helper Objects
(BHOs)
• Add-ons or plug-ins for Internet Explorer
• Such as toolbars, adware, scareware
• No longer supported in Edge
42. Shell Extensions
• Like Browser Helper Objects, but for Windows
Explorer
• Add context items when right-clicking a file
• Found at:
• HKCRCLSID{CLSID}InprocServer32
• HKCR{sub-key}shellex
44. Winlogon Shell
• The shell that loads when user logs on
• Normally set to Explorer.exe
• Can be set to any executable file
45. Winlogon Userinit
• Loads logon and group policy scripts, other
auto-runs, and the Explorer shell
• Attackers can append additional executables to
this value
46. Identifying Malicious
Auto-Runs
• Eyeball it, looking for suspicious files or paths,
spelling errors, broken English, etc.
• Risky; real commercial software is often
sloppily made, and some attackers are careful
• Next slide: which item is malicious?
48. Real DLL is iprip.dll
Spelling error but genuine
No description, runs from Temp, but genuine
49. Recommended Steps
1. Exclude persistent binaries signed by trusted
publishers (but not all signed binaries)
2. Exclude persistent items created outside the
time window of interest
3. Examine paths of remaining persistent binaries
•Attackers tend to use Temp folders or
common directories within %SYSTEMROOT%
•Not deeply nested subdirectories specific to
obscure third-party applications
50. Recommended Steps
4. Research MD5 hashes for remaining persistent
binaries on VirusTotal, Bit9, etc.
5. Compare remaining unknowns against a
known "gold image" used to install the
systems
52. Signed Malware
• Attackers have been stealing code-signing
signatures, and signing malware
• Also, not all legitimate persistent files, even
Windows components, are signed
• Sometimes updates remove signatures
55. Personalization
• User hive registry keys contain personalization
settings for each user
• First priority: compromised accounts
• Acquire NTUSER.DAT and USRCLASS.DAT
• Check machine accounts, such as
NetworkService and LocalSystem
• May also contain evidence
57. Shellbags
• Used to remember size,
position, and view settings of
windows
• Persist even if a directory is
deleted
• Saved in a user’s profile
registry hive
58. Shellbags Contain
• Full directory paths accessed via Explorer
• Date and time of access
• Modified, Accessed, and Created times of each
path recorded when the access occurred
• Such historical records are very useful to track
attacker actions
61. UserAssist v. Prefetch
• UserAssist only tracks items opened via
Explorer
• Including from the Run box and Start menu
• But not from the command prompt
• Prefetch files don't identify which user executed
a program
63. MUICache
• Multilingual User Interface
• Another list of programs executed by a user
• HKEY_USERS{SID}_ClassesLocalSettingsSoftware
MicrosoftWindowsShellMuiCache
64. Most Recently Used
(MRU) Keys
• Used by
many
applications
• No standard
registry
path or
value
naming
convention
66. Explorer Open and Save
MRU
• Files and folders most recently accessed in the
Open and Save dialog menus
• RegRipper can find the data
67. Start Menu Run MRU
• Programs recently launched from the Run box
• Human-readable
• HKEY_USERS{SID}SoftwareMicrosoftWindows
CurrentVersionExplorerRunMRU
68. RecentDocs
• Recently opened documents (any file extension)
• Used to populate File menu of various
applications
• HKEY_USERS{SID}SoftwareMicrosoft
WindowsCurrentVersionExplorerRecentDocs
69. Internet Explorer
TypedURLs & TypedPaths
• Used to populate the address bar drop-down list
in Internet Explorer
• May contain URLs and paths to local files
• HKEY_USERS{SID}SoftwareMicrosoft
InternetExplorerTypedURLs
• HKEY_USERS{SID}
SoftwareMicrosoftInternetExplorer
TypedPaths
70.
71. Proves Intent
• User typed (or pasted) these URLs into the
address bar
• Didn't just click a link
72. Remote Desktop MRU
• Used to remotely control Windows machines
• Maintains history of recent connections and
configuration data
• May tell you where a user connected and who
they attempted to log in as