Aceds 2015 wie nycpa final oct panel slidesJoe Bartolo
eDiscovery Nightmares - Panel Discussion - October 27th - New York City - Nixon Peabody - ACEDS - Women in eDiscovery - New York City Paralegal Association
This document provides an overview of a task force report on evolving US cybersecurity policy. It contains an acknowledgements section, table of contents, list of acronyms, and executive summary. The task force examined major issues in domestic and international cybersecurity policy, focusing on information sharing between the private sector and government, privacy concerns, encryption, surveillance, and defensive/offensive legislation and strategy. It provides industry snapshots on financial services and Microsoft. The task force recommends standardizing threat assessments, legal frameworks, and narrowing broad policies to build trust. It also recommends strengthening collaboration between stakeholders, international organizations, and the private sector to develop future-oriented, balanced cybersecurity norms and policies.
Kate Crawford's keynote address highlighted concerns about an IBM initiative using machine learning to analyze data on Syrian refugees. The model aimed to identify "jihadist" refugees by generating risk scores based on data including dark web purchases and social media activity. Crawford worried this could lead to false positives and discrimination against vulnerable populations. She argued it showed privacy laws are ill-equipped for modern data practices and predictive models operate as "black boxes", making outcomes difficult to challenge. The conference then discussed tensions between privacy as a human right versus being a tradable commodity, and debated how businesses and researchers can balance innovation with ethical use of personal data.
This document outlines considerations for creating and implementing nationwide privacy awareness programs. It begins with a brief history of privacy, discussing early concepts of privacy from the 1890s and key court rulings that helped define privacy. It then introduces the author, Dr. K Rama Subramaniam, who has extensive experience in information security, before providing an overview of the contents to be covered in the document.
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
This document discusses cybersecurity threats facing accounting firms and their clients. It provides examples of major data breaches in recent years that impacted millions of customer accounts. While many firms believe they are protected, the document cites statistics showing that most have no formal cybersecurity or internet use policies. It also discusses new regulations and standards, like the HIPAA Omnibus Rules and a recent Executive Order, that require firms to improve their cybersecurity practices to safeguard sensitive data. The role of a Virtual Chief Security Officer is introduced to help firms address these growing risks and compliance requirements.
Artificial Intelligence in Cyber Security Research Paper Writing.pptxkellysmith617941
The risk of cyber security is one of the reasons why advancement in artificial intelligence is very important. If you understand the core of the subject and thinking of a topic for artificial intelligence in cyber security research paper writing, then our specialized team can help you.
Aceds 2015 wie nycpa final oct panel slidesJoe Bartolo
eDiscovery Nightmares - Panel Discussion - October 27th - New York City - Nixon Peabody - ACEDS - Women in eDiscovery - New York City Paralegal Association
This document provides an overview of a task force report on evolving US cybersecurity policy. It contains an acknowledgements section, table of contents, list of acronyms, and executive summary. The task force examined major issues in domestic and international cybersecurity policy, focusing on information sharing between the private sector and government, privacy concerns, encryption, surveillance, and defensive/offensive legislation and strategy. It provides industry snapshots on financial services and Microsoft. The task force recommends standardizing threat assessments, legal frameworks, and narrowing broad policies to build trust. It also recommends strengthening collaboration between stakeholders, international organizations, and the private sector to develop future-oriented, balanced cybersecurity norms and policies.
Kate Crawford's keynote address highlighted concerns about an IBM initiative using machine learning to analyze data on Syrian refugees. The model aimed to identify "jihadist" refugees by generating risk scores based on data including dark web purchases and social media activity. Crawford worried this could lead to false positives and discrimination against vulnerable populations. She argued it showed privacy laws are ill-equipped for modern data practices and predictive models operate as "black boxes", making outcomes difficult to challenge. The conference then discussed tensions between privacy as a human right versus being a tradable commodity, and debated how businesses and researchers can balance innovation with ethical use of personal data.
This document outlines considerations for creating and implementing nationwide privacy awareness programs. It begins with a brief history of privacy, discussing early concepts of privacy from the 1890s and key court rulings that helped define privacy. It then introduces the author, Dr. K Rama Subramaniam, who has extensive experience in information security, before providing an overview of the contents to be covered in the document.
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
This document discusses cybersecurity threats facing accounting firms and their clients. It provides examples of major data breaches in recent years that impacted millions of customer accounts. While many firms believe they are protected, the document cites statistics showing that most have no formal cybersecurity or internet use policies. It also discusses new regulations and standards, like the HIPAA Omnibus Rules and a recent Executive Order, that require firms to improve their cybersecurity practices to safeguard sensitive data. The role of a Virtual Chief Security Officer is introduced to help firms address these growing risks and compliance requirements.
Artificial Intelligence in Cyber Security Research Paper Writing.pptxkellysmith617941
The risk of cyber security is one of the reasons why advancement in artificial intelligence is very important. If you understand the core of the subject and thinking of a topic for artificial intelligence in cyber security research paper writing, then our specialized team can help you.
These groups are loosely organized and have a small number of members. They
usually have little experience and rely on pre-packaged tools. Their attacks are usually not
sophisticated and they are more likely to get caught.
Associate: These groups are moderately organized with a moderate number of members. They
have some experience and skills but still rely on pre-packaged tools. Their attacks show some
planning and sophistication.
Principal: These groups are highly organized with a large number of experienced members. They
have strong technical skills and develop their own tools. Their attacks show extensive planning
and are very sophisticated. They are also very security conscious to avoid detection.
In summary, the typologies provided
The document discusses several ethical challenges related to information technology, including issues around software piracy, intellectual property, privacy, computer abuse, appropriate internet use, and establishing codes of ethics for IT professionals. It provides examples of both ethical and unethical behaviors related to computing and asks questions about who is responsible for dealing with ethical issues.
This document provides an overview and discussion of cybersecurity issues related to working from home during the COVID-19 pandemic. It discusses securing home networks and devices, protecting proprietary company information, training employees on cybersecurity best practices, and common cyber threats such as phishing scams taking advantage of coronavirus fears. Resources from government agencies and organizations are also included to help secure remote work environments and defend against cyberattacks.
Margolis Healy Campus Threat Assessment Case Studies: A Training ToolMargolis Healy
Campus Threat Assessment Case Studies: A Training Tool for Investigation, Evalution, and Intervention.
By Margolis Healy
Funded by Department of Justice, Office of Community Oriented Policing Services (COPS)
Released March 2013
This document discusses social engineering and managing the human element of cybersecurity. It begins with an introduction of the author, Dr. John McCarthy, and his background. It then discusses what social engineering is, how attacks are increasing, and the costs organizations face from such attacks. The document outlines common social engineering techniques like phishing and manipulating human psychology. It also discusses how attackers gather information and ways organizations can build countermeasures like security training and evaluating how sensitive information is handled.
DIATOMIC is a team from the University of Cincinnati that provides cybersecurity services focused on analyzing human behavior to assess and mitigate cybersecurity risks. The team includes Mark Stockman from the School of Information Technology, Joe Nedelec and Bill Mackey from the School of Criminal Justice. DIATOMIC's services involve identifying cybersecurity risks at multiple levels of an organization based on non-malicious employee behavior. They then develop customized strategies to incentivize best practices and reduce risks.
Cybersecurity & Data Protection: Thinking About Risk & ComplianceShawn Tuma
Cybersecurity & Data Protection: Thinking About Risk & Compliance is a presentation that Frisco business lawyer Shawn Tuma delivered to the Corporate Counsel Section of the Collin County Bar Association. The presentation date was May 29, 2015.
This document describes the registration process for a free membership to a solutions program run by Syngress publishing. The summary is:
1. Syngress has published several best-selling books on topics like ISA Server 2000 and intrusion detection and one reason for their success is the solutions program.
2. As a registered owner of this Syngress book, the reader can qualify for free access to the member-only solutions program which provides downloadable e-books, an FAQ page, and a forum for interaction with the book authors.
3. To register for the free membership, the reader needs to visit the listed website and go through a simple registration process using the book.
Open Letter to President Obama Opposing Backdoors and Defective EncryptionAlvaro Lopez Ortega
Dear President Obama,
We the undersigned represent a wide variety of civil society organizations dedicated to protecting civil liberties, human rights, and innovation online, as well as technology companies, trade associations, and security and policy experts. We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities
We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.
Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.
Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.
In addition to undermining cybersecurity, any kind of vulnerability mandate would also seriously undermine our economic security. U.S. companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency’s surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers—be they domestic or international, 2 individual or institutional—to turn away from those compromised products and services. Instead, they—and many of the bad actors whose behavior the government is hoping to impact—will simply rely on encrypted of
Background and services provided by Alloy Cybersecurity - reducing risk of organizational data breach, borrowing empirical methodology from criminology and crime science.
Computer forensics is a rapidly growing field that involves gathering and analyzing digital evidence from computers and networks. A computer forensic specialist examines computer media, programs, data, and log files to retrieve possible evidence for law enforcement, criminal prosecutors, and private organizations. When a problem occurs, the specialist must carefully take several steps to identify and recover deleted, hidden, or encrypted files on a suspect's computer and provide expert analysis and testimony.
This document outlines the cybersecurity risks faced by law firms and the steps they should take to protect themselves and their clients. It discusses how law firms are vulnerable targets due to weaknesses in their security protocols. A security assessment is recommended to identify vulnerabilities, followed by continuous monitoring to maintain protection. Establishing attorney-client privilege for communications and properly structuring the role of outside agents are also covered. The presentation aims to educate law firms on cybersecurity best practices.
DIATOMIC Cybersecurity is an interdisciplinary team from the University of Cincinnati's School of Information Technology and School of Criminal Justice. The team provides behavioral cyberthreat assessment and mitigation services by analyzing human behaviors and decisions that can increase cybersecurity risks. The team is composed of Mark Stockman from Information Technology, Joe Nedelec and Bill Mackey from Criminal Justice, and takes an empirical approach informed by crime science and behavioral economics to address non-malicious insider risks.
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
This document summarizes a presentation on cybersecurity risks for law firms and how to protect sensitive client data. The presentation covers:
1. Tips for preventing cyberattacks including having security plans, policies for employees and vendors, and implementing best practices.
2. The response required after a data breach, including activating an incident response plan, securing systems, notifying authorities and counsel, and conducting forensics.
3. Different legal obligations for law firms compared to corporations after a breach in terms of state breach notification laws and preserving attorney-client privilege.
Center for Public Safety and Cybersecurity EducationTaylor Rosecrans
About Us: The Center for Public Safety and Cybersecurity Education (CPSCE) provides cross-disciplinary education and training in cybersecurity and public safety professions. The Center leverages its faculty – who are both thought leaders and practitioners – along with Franklin University’s reputation for excellence in curriculum and course development to create learning experiences that address prevailing security concerns within industries and communities.
The-Lure-The-True-Story-of-How-the-Department-of-Justice-Brought-Down_joa_Eng...A Krista Kivisild
In late 1999, the system administrator of an Internet cafe in Seattle received a message from someone inquiring about the cafe's security. This message launched a three-year investigation into the individuals responsible for the message. The investigation aimed to identify who sent the message, determine what other businesses they targeted, and gather enough evidence of their crimes. The lead prosecutor wrote a book detailing this case against two of the world's most dangerous cyber criminals. The book provides great detail about the hacking activities, trial testimony and evidence, and paints a picture of computer crime prosecution in the US at that time. It follows the investigation process and allows readers to learn about different aspects of such a complex case. While targeting methods are similar today, hackers then
Testing web security security of web sites and applicationsHuong Muoi
This chapter introduces the goals and approach of the book. It aims to raise awareness that firewalls alone are not sufficient for web security and to provide introductory security testing techniques. The book takes a gray-box testing approach, leveraging some knowledge of internal workings to design more effective black-box tests. It seeks to help those new to security testing perform more comprehensive assessments. Statistics are presented showing the growing need for web security testing as attacks are increasingly targeting websites and applications.
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
Cognitive security solutions using artificial intelligence can help address cybersecurity threats by assisting overworked human analysts. Watson provides a cognitive security platform that analyzes both structured security data and vast amounts of unstructured online data to gain insights. It helps speed up investigation of incidents by quickly providing relevant indicators, related threats, and recommended courses of action based on its security knowledge graph. This frees up analysts to focus on higher-level tasks. Customers have seen Watson reduce investigation time from 50 minutes to just 10 minutes on average.
Minimum 2 power point slides on how Mental health organization needs.docxmccullaghjackelyn
Minimum 2 power point slides on how Mental health organization needs to consider cognition and moral reasoning comparing and contrasting American culture with other cultures. List the model or theory addressed and a scenario to help the organization grasp the key concepts.
APA Guidelines
Citations in slides and speaker notes
Use only peer reviewed sources (University of Phoenix if capable)
...
Min 1200 - 1300 words with Min 6 references and in-text citation in .docxmccullaghjackelyn
Min 1200 - 1300 words with Min 6 references and in-text citation in APA reference format.
Essay format to be as below:
- Clarity of Purpose
- Quality of the alignment between learning outcomes and business goals
- Appropriateness of the choice of training methods
- Validity and reliability of the Assessment method
- Awareness of resource and investment requirements
- Mechanics of writing
...
Minimum 200 words... good essay answer format. Describ.docxmccullaghjackelyn
Minimum 200 w
ords
... good essay answer format.
Describe the duties of the FBI. What roles does the agency undertake?
Minimum 200 words... good e
ssay
a
nswer
format.
Identify
and
describe the four types of stress felt by the police ?
...
More Related Content
Similar to Malware Forensics FieldGuide for Windows SystemsDigi.docx
These groups are loosely organized and have a small number of members. They
usually have little experience and rely on pre-packaged tools. Their attacks are usually not
sophisticated and they are more likely to get caught.
Associate: These groups are moderately organized with a moderate number of members. They
have some experience and skills but still rely on pre-packaged tools. Their attacks show some
planning and sophistication.
Principal: These groups are highly organized with a large number of experienced members. They
have strong technical skills and develop their own tools. Their attacks show extensive planning
and are very sophisticated. They are also very security conscious to avoid detection.
In summary, the typologies provided
The document discusses several ethical challenges related to information technology, including issues around software piracy, intellectual property, privacy, computer abuse, appropriate internet use, and establishing codes of ethics for IT professionals. It provides examples of both ethical and unethical behaviors related to computing and asks questions about who is responsible for dealing with ethical issues.
This document provides an overview and discussion of cybersecurity issues related to working from home during the COVID-19 pandemic. It discusses securing home networks and devices, protecting proprietary company information, training employees on cybersecurity best practices, and common cyber threats such as phishing scams taking advantage of coronavirus fears. Resources from government agencies and organizations are also included to help secure remote work environments and defend against cyberattacks.
Margolis Healy Campus Threat Assessment Case Studies: A Training ToolMargolis Healy
Campus Threat Assessment Case Studies: A Training Tool for Investigation, Evalution, and Intervention.
By Margolis Healy
Funded by Department of Justice, Office of Community Oriented Policing Services (COPS)
Released March 2013
This document discusses social engineering and managing the human element of cybersecurity. It begins with an introduction of the author, Dr. John McCarthy, and his background. It then discusses what social engineering is, how attacks are increasing, and the costs organizations face from such attacks. The document outlines common social engineering techniques like phishing and manipulating human psychology. It also discusses how attackers gather information and ways organizations can build countermeasures like security training and evaluating how sensitive information is handled.
DIATOMIC is a team from the University of Cincinnati that provides cybersecurity services focused on analyzing human behavior to assess and mitigate cybersecurity risks. The team includes Mark Stockman from the School of Information Technology, Joe Nedelec and Bill Mackey from the School of Criminal Justice. DIATOMIC's services involve identifying cybersecurity risks at multiple levels of an organization based on non-malicious employee behavior. They then develop customized strategies to incentivize best practices and reduce risks.
Cybersecurity & Data Protection: Thinking About Risk & ComplianceShawn Tuma
Cybersecurity & Data Protection: Thinking About Risk & Compliance is a presentation that Frisco business lawyer Shawn Tuma delivered to the Corporate Counsel Section of the Collin County Bar Association. The presentation date was May 29, 2015.
This document describes the registration process for a free membership to a solutions program run by Syngress publishing. The summary is:
1. Syngress has published several best-selling books on topics like ISA Server 2000 and intrusion detection and one reason for their success is the solutions program.
2. As a registered owner of this Syngress book, the reader can qualify for free access to the member-only solutions program which provides downloadable e-books, an FAQ page, and a forum for interaction with the book authors.
3. To register for the free membership, the reader needs to visit the listed website and go through a simple registration process using the book.
Open Letter to President Obama Opposing Backdoors and Defective EncryptionAlvaro Lopez Ortega
Dear President Obama,
We the undersigned represent a wide variety of civil society organizations dedicated to protecting civil liberties, human rights, and innovation online, as well as technology companies, trade associations, and security and policy experts. We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities
We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.
Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.
Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.
In addition to undermining cybersecurity, any kind of vulnerability mandate would also seriously undermine our economic security. U.S. companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency’s surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers—be they domestic or international, 2 individual or institutional—to turn away from those compromised products and services. Instead, they—and many of the bad actors whose behavior the government is hoping to impact—will simply rely on encrypted of
Background and services provided by Alloy Cybersecurity - reducing risk of organizational data breach, borrowing empirical methodology from criminology and crime science.
Computer forensics is a rapidly growing field that involves gathering and analyzing digital evidence from computers and networks. A computer forensic specialist examines computer media, programs, data, and log files to retrieve possible evidence for law enforcement, criminal prosecutors, and private organizations. When a problem occurs, the specialist must carefully take several steps to identify and recover deleted, hidden, or encrypted files on a suspect's computer and provide expert analysis and testimony.
This document outlines the cybersecurity risks faced by law firms and the steps they should take to protect themselves and their clients. It discusses how law firms are vulnerable targets due to weaknesses in their security protocols. A security assessment is recommended to identify vulnerabilities, followed by continuous monitoring to maintain protection. Establishing attorney-client privilege for communications and properly structuring the role of outside agents are also covered. The presentation aims to educate law firms on cybersecurity best practices.
DIATOMIC Cybersecurity is an interdisciplinary team from the University of Cincinnati's School of Information Technology and School of Criminal Justice. The team provides behavioral cyberthreat assessment and mitigation services by analyzing human behaviors and decisions that can increase cybersecurity risks. The team is composed of Mark Stockman from Information Technology, Joe Nedelec and Bill Mackey from Criminal Justice, and takes an empirical approach informed by crime science and behavioral economics to address non-malicious insider risks.
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
This document summarizes a presentation on cybersecurity risks for law firms and how to protect sensitive client data. The presentation covers:
1. Tips for preventing cyberattacks including having security plans, policies for employees and vendors, and implementing best practices.
2. The response required after a data breach, including activating an incident response plan, securing systems, notifying authorities and counsel, and conducting forensics.
3. Different legal obligations for law firms compared to corporations after a breach in terms of state breach notification laws and preserving attorney-client privilege.
Center for Public Safety and Cybersecurity EducationTaylor Rosecrans
About Us: The Center for Public Safety and Cybersecurity Education (CPSCE) provides cross-disciplinary education and training in cybersecurity and public safety professions. The Center leverages its faculty – who are both thought leaders and practitioners – along with Franklin University’s reputation for excellence in curriculum and course development to create learning experiences that address prevailing security concerns within industries and communities.
The-Lure-The-True-Story-of-How-the-Department-of-Justice-Brought-Down_joa_Eng...A Krista Kivisild
In late 1999, the system administrator of an Internet cafe in Seattle received a message from someone inquiring about the cafe's security. This message launched a three-year investigation into the individuals responsible for the message. The investigation aimed to identify who sent the message, determine what other businesses they targeted, and gather enough evidence of their crimes. The lead prosecutor wrote a book detailing this case against two of the world's most dangerous cyber criminals. The book provides great detail about the hacking activities, trial testimony and evidence, and paints a picture of computer crime prosecution in the US at that time. It follows the investigation process and allows readers to learn about different aspects of such a complex case. While targeting methods are similar today, hackers then
Testing web security security of web sites and applicationsHuong Muoi
This chapter introduces the goals and approach of the book. It aims to raise awareness that firewalls alone are not sufficient for web security and to provide introductory security testing techniques. The book takes a gray-box testing approach, leveraging some knowledge of internal workings to design more effective black-box tests. It seeks to help those new to security testing perform more comprehensive assessments. Statistics are presented showing the growing need for web security testing as attacks are increasingly targeting websites and applications.
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
Cognitive security solutions using artificial intelligence can help address cybersecurity threats by assisting overworked human analysts. Watson provides a cognitive security platform that analyzes both structured security data and vast amounts of unstructured online data to gain insights. It helps speed up investigation of incidents by quickly providing relevant indicators, related threats, and recommended courses of action based on its security knowledge graph. This frees up analysts to focus on higher-level tasks. Customers have seen Watson reduce investigation time from 50 minutes to just 10 minutes on average.
Similar to Malware Forensics FieldGuide for Windows SystemsDigi.docx (19)
Minimum 2 power point slides on how Mental health organization needs.docxmccullaghjackelyn
Minimum 2 power point slides on how Mental health organization needs to consider cognition and moral reasoning comparing and contrasting American culture with other cultures. List the model or theory addressed and a scenario to help the organization grasp the key concepts.
APA Guidelines
Citations in slides and speaker notes
Use only peer reviewed sources (University of Phoenix if capable)
...
Min 1200 - 1300 words with Min 6 references and in-text citation in .docxmccullaghjackelyn
Min 1200 - 1300 words with Min 6 references and in-text citation in APA reference format.
Essay format to be as below:
- Clarity of Purpose
- Quality of the alignment between learning outcomes and business goals
- Appropriateness of the choice of training methods
- Validity and reliability of the Assessment method
- Awareness of resource and investment requirements
- Mechanics of writing
...
Minimum 200 words... good essay answer format. Describ.docxmccullaghjackelyn
Minimum 200 w
ords
... good essay answer format.
Describe the duties of the FBI. What roles does the agency undertake?
Minimum 200 words... good e
ssay
a
nswer
format.
Identify
and
describe the four types of stress felt by the police ?
...
Miller (2001) pointed out other perspectives on morality that are ov.docxmccullaghjackelyn
Miller (2001) identified additional perspectives on morality beyond traditional theories, including moralities of community that emphasize relationships and community, and moralities of divinity where religion and spirituality are central to morality. The document asks the reader to design a new perspective called "moralities of x" and describe its moral standards while citing scholarly sources.
MidtermPlease use the following hypothetical scenario to answer th.docxmccullaghjackelyn
Midterm
Please use the following hypothetical scenario to answer the following 5 questions. Each question is worth 20 points for a total of 100 points. When complete upload your document to the dropbox below.
Scenario
Janet Johnson, an African American woman, has been working at the Tennessee Hydroelectric plant for 15 years. During that time, his performance reviews have been exemplary. She decided to apply for the new plant foreman position. Although she felt that she was eminently qualified for the position, she also was growing tired of a certain good old boy culture at the plant. For years, the plant has had a culture of highly lewd “jokes,” and many of the employees had also engaged in inappropriate touching of female employees. The plant had an anti-harassment policy on record, but Janet’s boss shrugged and said “boys will be boys” when she reported the harassment to him.
Competition for the position was fierce. But ultimately, Jose Martinez, a Chilean man, received the position. Jose had 7 years of experience. Unbeknownst to the applicants the promotion board secretly ran a credit check on the applicants. Janet credit score came in as lower as average, and this factored into the board’s decision. Although he met the qualifications of the position, one of the hiring managers told Janet in confidence that Janet was the most qualified person for the job. And the other managers had applied a racial preference on Jose’s behalf due to there never having been a Latino manager at the plant even though Latino’s represented 35% of employees at the plant. Janet sues the plant for disparate treatment, disparate impact, and sexual harassment under Title VII.
Questions
List the elements of disparate treatment and apply them to this case. Can Janet prove a prima facie case? How would the plant rebuff these charges? Who would ultimately prevail?
List the elements of a disparate impact case and apply them to this case? Will Janet prevail on this charge?
List the elements of the sexual harassment case and apply them to this case? Can the plant establish an affirmative defense?
If the plant argues that it applied a racial preference to Jose to correct a manifest imbalance at the plant of underutilization of certain minorities, will the plant prevail? Why or why not?
Was it legal to use the credit check as a factor in the promotion decision the way that it was done here? Why or why not?
...
Mid-course Reflection Please respond to the followingDiscuss you.docxmccullaghjackelyn
Mid-course Reflection" Please respond to the following:
Discuss your overall perceptions of the Research and Writing course thus far. Describe the course concepts that either have seemed familiar or have confused to you. Determine the one (1) or two (2) specific concepts that you would you like explore further. Assist your classmates by sharing your knowledge in relation to their responses.
...
MHA601 week2 discussion 1(300 words)
MHA601 week 2 discussion 2(300 words)
This week, Discussion 1:
asks students to locate a quality improvement & cost saving project implemented in a healthcare setting such as hospital, clinic, nursing home, assisting living, and homecare in the United States. Take a moment to read Section 4.4 Stakeholder Dynamics in the required textbook. You may not be able to find all needed information, which is fine as long as you indicate "no available information found in the article" in your response. Please reach out to your instructor if you have difficulty finding a project that was carried out in the United States.
The U.S. healthcare system has been recognized as a high-cost delivery system with relatively poor quality outcomes, and this situation has not been improved to some extents (Ewing, 2013). Royer asserted that:
Public and private payers have responded to these issues with: 1) financial incentives to improve care outcomes; and 2) more stringent regulations for collecting data on and reporting medical errors and indicators of poor care. Executives and managers in leading health care organizations have recognized poor care coordination as an underlying cause of poor care outcomes, and undertaken large scale organizational process change initiatives to improve quality as well as to reduce costs. (as cited in Frates, 2014, Section 3.2, para. 4)
In the required textbook, Table 3.1: Differentiating Factors for Organization Cost Reduction Efforts lists four differentiators, speed, accountability, scope of change, and LEAN perspective (Frates, 2014). Successful efforts lead to measurable improvements such as less harm due to preventable errors, better patient health outcome and satisfaction, shorter waiting times, etc. The healthcare organizations benefit in a long-run because of reduced capital investments and ongoing expenditures, and an improved reputation that results from better quality care and service.
Discussion 2 covers teams
Delivery healthcare heavily relies on teamwork. Effective teamwork can enhance patient safety, improve quality of patient care, and reduce workload and burnout issues among healthcare professionals. But simply installing a team structure does not guarantee the team will operative effectively (Ezziane et al., 2012). Frates (2014) highlighted four attributes for both functional and dysfunctional teams in Table 4.2. Working effectively in and as a team is an important skill that can be taught and bred. The best quality and cost-effective care and outcomes are attained only if diverse healthcare professionals work together, learn together, and engage in clinical audits of outcomes and innovations to ensure progress in practice and service (Reiss-Brennan, Briot, Savitz, Cannon, & Staheli, 2010). Ezziane and colleagues (2012) argued that effective communication, comprehensive decision making, safety awareness, the ability to resolve conflict, and strong leadership are key contributor ...
Michelle Welsh discussion Board 3 CollapseTop of Form.docxmccullaghjackelyn
Michelle Welsh
discussion Board 3
Collapse
Top of Form
In
How Should We Then Live?
Francis A. Schaeffer (1976) recognizes the vastness of the Roman Empire and its continuing influence on modern civilization. Even though much of mankind still benefits from such Roman innovations as aqueducts and a written code of law as presented by Evan Andrews (2012), the Roman Empire provided no real solutions to the problems that have plagued mankind throughout time. Schaeffer (1976) refers to Rome as having “no sufficient inward base” (p. 29); that is, Rome had no basis higher than themselves for anything they believed or did.
The Romans had many gods; while these gods had some supernatural powers, they also frequently displayed tragic character flaws. They were no different than humans and certainly no better. Because of this, they provided no moral excellence for which humans could strive. Furthermore, the emperors who led the Roman government began to wish to be viewed as gods themselves. Unfortunately, as mere humans, they displayed faults of their own as well.
Schaeffer (1976) states that Rome villainized the rising religion of Christianity because its devotees would not recognize any god (Greek, Roman, or emperor) except the one true God and they had an absolute standard by which to judge themselves and thus the state. This was a great threat to Roman authority as well as to Rome’s “live and let live” lifestyle. They simply could not abide by Christians claim to know the one and only God that would make their own false.
This same attitude toward Christianity is easily seen in our Western culture today. Society enjoys allowing every person to do as his pleases, until one group—the Christian religion--claims to know and live by an absolute standard. While modern-day Christians in the West are not thrown to the lions, they are pressured to be accepting of all ways of life, even those in direct contrast to their Biblically-based beliefs.
Christianity has withstood the test of time because it does have an inward base. It is the belief in the one true God and His Word, giving followers the purposeful base needed for all of life.
(Word count: 352)
References
Andrews, E. (2012, November 20).
10 Innovations that built ancient Rome
. Retrieved from http://www.history.com/news/history-lists/10-innovations-that-built-ancient-rome
Schaeffer, F. A. (1976). How should we then live? Old Tappan, NJ. Fleming H. Revell Company
Bottom of Form
Armand Paladino
Fall of Rome
Collapse
Top of Form
I believe that Francis is right about his belief that Rome fell due to its insufficient base. Rome was very pompous, had no organization, did not keep anything constant and had the wrong idea about religion. Rome’s people were known to have big heads and thing that they were the best at everything. This mindset let them believe that there was no room for improvement and they never experimented or tried new things, which lead them to their demise. If ...
Michele is aware of the importance of diversity within the company. .docxmccullaghjackelyn
Michele is aware of the importance of diversity within the company. She does not, however, realize the differences between diversity and culture, and how this impacts teamwork. As the HR Manager, Michele has asked you for a plan to motivate the employees at Lollipop Company, Inc.
For this project assignment on Lollipop Company, Inc. complete a minimum of a 3-page business professional report that addresses the following concepts:
Discuss the key elements of motivating a culturally diverse organization.
Why is diversity inclusion important? What are the benefits?
Discuss how working with others can help with respect for diversity and respect for diverse perspectives.
Explain how your plan will motivate and engage a culturally diverse workforce.
Also, describe your plan for encouraging teamwork among a diverse workforce and ensuring that employees make meaningful and valuable contributions to team projects and tasks.
APA FORMAT WITH INTEXT CITATION, SEE ATTACHED DOCUMENT FOR ADDITIONAL INFORMATION
...
Menu SelectionDespite being a fairly old technology, menu-driven i.docxmccullaghjackelyn
Menu Selection
Despite being a fairly old technology, menu-driven interfaces are very common in user interface design. Menu-driven interfaces consist of a series of screens which are navigated by choosing options from lists.
Write a four to five (4-5) page paper in which you:
Evaluate the user dialog strategies used by a menu-driven interface.
Determine why menu-driven interfaces continue to be popular in the modern computing age.
Suggest at least three (3) strategies for making menu-driven interfaces visually appealing in the modern computing environment.
Suggest alternatives for menu-driven interface design and explain how these alternatives can be designed to eventually replace all menu-driven interfaces.
Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.
Your assignment must follow these formatting requirements:
...
MeritocracyExplain how the United States compares to other countri.docxmccullaghjackelyn
The document asks about social mobility rates in the US compared to other countries and whether the US can truly be considered a meritocracy. It prompts a 3 paragraph response discussing whether social mobility opportunities are equal for all groups in society, why or why not, and how attending college relates to the concept of meritocracy. Examples and references from the textbook and other sources should support the response.
MethodologyIn this Discussion, you will begin putting together.docxmccullaghjackelyn
Methodology
In this Discussion, you will begin putting together your Methodology section. In your post, you should include the following information:
State your research hypothesis.
Who are your participants and how will you select them?
What are your independent and dependent variables?
How do you operationally define your independent and dependent variables?
What data will you collect on these variables and how will you collect those data?
Ethics in Research Design
Based on your reading of the
Belmont Report
, your previous NIH Certification training and your textbook, what do you see as the most important ethical responsibilities of the educational researcher?
Why are the principles of the Belmont Report necessary?
What types of risk are important to consider in educational research?
If a research project is poorly designed, could the risk to the participant outweigh the benefit?
Why are some groups considered vulnerable populations, and what does it mean to be a vulnerable population in terms of research?
...
Methods of AnalysisUsing your text and at least one scholarly sour.docxmccullaghjackelyn
Methods of Analysis
Using your text and at least one scholarly source, prepare a two to three page paper, in APA format, and evaluate the three methods of analysis: Horizontal, vertical, and ratio as explained in your course textbook.
Summarize each method, and discuss how the financial information is used to make a particular decision.
Provide a scenario in a health care situation in which a given method of analysis might be used.
...
Methods to Stop Different Cyber CrimesCompile a list of methods to.docxmccullaghjackelyn
Methods to Stop Different Cyber Crimes
Compile a list of methods to stop different cyber crimes. Using the book and other resources, write a 1 to 1 ½ page paper (using APA style formatting) on methods to either catch or stop cyber criminals. Explain the different methods in detail.
NOTE: This information along with the information in Module 2's written assignment will be used in Module 8's written assignment.
...
Message expanded.Message readAir Pollution vs. Global Warmingp.docxmccullaghjackelyn
Message expanded.
Message read
Air Pollution vs. Global Warming
posted by
JOHN JACOBS
, Jan 15, 2017, 11:25 AM
As you will recall from the tirst week of class, the environmental movement led to great changes in the way we dealt witb air and water pollution. In the years between 1955 and 1975 legislation was passed, with support from both parties that pretty much cleaned up the air and waters that we had fouled so badly by then. Today we are still struggling with those same pollution problems but we are also faced with the challenge of Global Warming, which is basically an air pollution problem.
How does the risk / damage that we face from Global Warming compare with the risks / damages we faced back in the 1950s from what we knew to be air pollution?
I would say that one thing that has changed since the Environmental Movement is that business has learned how to oppose air pollution control by the government / public much more effectively. What are some of the tactics businesses use to avoid having to change the way they do business to protect the public and the environment?
...
Michael AlvarezIn chapter 3 of your textbook, you should have enga.docxmccullaghjackelyn
Michael Alvarez
In chapter 3 of your textbook, you should have engaged in what we know about teaching. One of the most powerful ways to demonstrate your knowledge of these concepts is to apply them in a real life setting. Please read the case study below and answer the questions in this forum.
Overview
Michael is a 15-year-old native Spanish-speaking student in a 9th grade ELL (English Language Learners) class of 23 students in a suburban California public school. He has been in the United States and attending school for the past three years, having emigrated from Mexico City with his parents and two younger siblings.
Problem
While Michael speaks English well – he is skilled in the face-to face conversational fluency known as BICS (Basic Interpersonal Communication Skills) - he struggles with reading and writing English. He manifests his frustration in a variety of ways including, but not limited to: routinely arriving late to class; failing to complete homework assignments; interrupting his teacher when she is explaining an upcoming assignment; refusing to participate in collaborative groups. Michael’s openly disruptive behavior is impacting other students in the class. Three Spanish-speaking students (two males and one female) have begun conversing across the classroom with Michael in Spanish.
Key Players
Ms. Watkins, Michael’s ELL teacher. In addition to two ELL classes, Ms. Watkins also teaches three sections of Advanced Placement English Language.
The other ELL students in the class, each of whom is at a different level of English-language mastery.
Sabrina, Michael’s 8 year old sister.
Victor, Michael’s 11 year old brother.
Contributing Factors
Michael is currently repeating all of his classes – except for Introduction to Algebra – that he failed the previous year;
At 15, he is older than most of the students in his ELL class;
Several students in Michael’s ELL class have expressed to Ms. Watkins their discomfort with Michael’s behavior;
Michael’s sister Sabrina is fluent in reading, writing and speaking English. Sabrina is currently placed at grade level in a 3rd grade mainstream class.
His brother Victor is also moving toward full fluency in English. Victor is currently at grade level in a 6th grade ELL class.
Michael is working part-time job after school and on Saturdays and is unable to attend remediation or support classes;
Michael’s parents have not attended Back-To-School night and have not responded to Ms. Watkins’ e-mails and phone messages.
Designing a
Solution
Construct an intervention plan for Michael by answering the following questions:
Which approach – Constructivism, Cognitivism, or Behaviorism – would you take? Why?
What strategies would you use to improve Michael’s classroom behavior and participation?
How would you encourage him to complete and submit assignments on time as well as to establish personal learning goals?
Can you name some ways you would involve Michael’s parents and siblings in supporting these learning g ...
Methodologydue date Friday 01062Extraneous Variables .docxmccullaghjackelyn
Methodology
due date Friday 01/06
2
Extraneous Variables (and plan for how controlled).
Instruments: Description, validity, and reliability estimates, which have been performed (on a pre-established measure). Include plans for testing validity and reliability of generating your own instrument(s).
Description of the Intervention
Data Collection Procedures
...
Microsoft CEO Satya Nadella Looks to Future Beyond Windows300 - .docxmccullaghjackelyn
Microsoft CEO Satya Nadella Looks to Future Beyond Windows
300 - to 700- word APA Format
What kind of planning missteps helped cause Microsoft's decline over the past few years?
How is Nadella trying to eliminate some of the bureaucracy that has hurt the company's ability to innovate?
What business strategies has Nadella implemented that will help revitalize the technology giant?
Will send more details.
...
Message Map Create a message map for a crisis or risk situation .docxmccullaghjackelyn
Message Map
Create a message map for a crisis or risk situation in your field/organization. Identify who the stakeholders for the message are, potential stakeholder questions and concerns, key messages, and supporting facts. (An example message map can be found on page 72 of the Walaski textbook.)
...
Message UnreadMark as UnreadMessage Not FlaggedSet FlagP.docxmccullaghjackelyn
Message Unread
Mark as Unread
Message Not Flagged
Set Flag
Posted : February 1, 2011 4:49:05 PM EST
Last edited : April 12, 2017 11:38:12 PM EDT
posted 6 years ago (last edited 9 days ago)
5 years ago
22.04.2017
10
Report Issue
Answer
(
0
)
Bids
(
0
)
other Questions
(
10
)
two assignments
3 Page Brain system paper
Hazardous material incident research paper
Net Present Value Help
essay for english course
3 Question for tutor kate
WORKSHEET ON ENVIRONMENTAL SCIENCE LAB FOR PROF ELIUD P ONLY
Assignment
Write Specific and critical viewpoints on Donald Marquis on Abortion
300 word DB response
...
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
2. information storage and retrieval system, without permission in
writing from the
publisher. Details on how to seek permission, further
information about the
Publisher’s permissions policies and our arrangements with
organizations such as
the Copyright Clearance Center and the Copyright Licensing
Agency, can be
found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are
protected under
copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly
changing. As new
research and experience broaden our understanding, changes in
research methods
or professional practices, may become necessary. Practitioners
and researchers
must always rely on their own experience and knowledge in
evaluating and using
any information or methods described herein. In using such
information or
methods they should be mindful of their own safety and the
safety of others,
including parties for whom they have a professional
responsibility.
To the fullest extent of the law, neither the Publisher nor the
authors,
contributors, or editors, assume any liability for any injury
and/or damage to
3. contributors, or editors, assume any liability for any injury
and/or damage to
persons or property as a matter of products liability, negligence
or otherwise, or
from any use or operation of any methods, products,
instructions, or ideas
contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British
Library.
ISBN: 978-1-59749-472-4
For information on all Syngress publications visit our website at
http://store.elsevier.com
Printed in the United States of America
12 13 14 15 16 10 9 8 7 6 5 4 3 2 1
Typeset by: diacriTech, Chennai, India
For our moms, who taught us determination, patience,
creativity, and to live passionately.
4. Acknowledgments
Cameron would like to thank a number of people for their
guidance, support, and ideas on this book—without them it
would not have happened. James and Eoghan I appreciate your
willingness to keep an open mind and embrace the format and
structure of this book; it was a rewarding challenge. I’m proud
to
work with you both.
Thanks to the Syngress crew for your patience and
understanding of our vision: Steve Elliot, Angelina Ward, Laura
Colantoni, Matthew Cater, Paul Gottehrer, Chris
Katsaropoulos, and David Bevans.
Not to be forgotten are the some terrific researchers,
developers, and forensic practitioners who assisted and
supported this book: Mila Parkour
(contagiodump.blogspot.com), Ero Carera and Christian
Blichmann (Zynamics), Matthew Shannon (F-Response), Maria
Lucas (HBGary), Thorsten Holz (Assistant Professor at Ruhr-
University Bochum; http://honeyblog.org/), Tark (ccso.com),
and
Danny Quist (offensivecomputing.net).
For your friendship, camaraderie, and day-to-day hi-jinks,
For your friendship, camaraderie, and day-to-day hi-jinks,
“Team Cyber” of the Los Angeles Cyber Division—you are a
fantastic crew and I miss you. Jason, Ramyar, and Bryan—my
friends and confidants—thank you for everything, we had a
good
5. run.
My sister Alecia—your determination and focus are an
inspiration to me. “No lying on the couch!”
Finally, to my lovely wife Adrienne, I am so lucky to have
you in my life—thanks for being a “team” with me—I love you.
Bentley and Barkley—thanks for being Daddy’s little “writing
buddies.”
Special Thanks to the Technical
Editor
Malware Forensics Field Guide for Windows Systems was
reviewed by a digital forensic expert who is a fantastic author in
his own right. My sincerest thanks to Curtis W. Rose for your
tenacity and attention to detail—we’re lucky to work with you.
About the Authors
Cameron H. Malin is a Supervisory Special Agent with the
Federal Bureau of Investigation assigned to a Cyber Crime
squad in Los Angeles, California, where he is responsible for
the
investigation of computer intrusion and malicious code matters.
In 2010, Mr. Malin was a recipient of the Attorney General’s
Award for Distinguished Service for his role as a Case Agent in
Operation Phish Phry.
Mr. Malin is the Chapter Lead for the Southern California
6. Chapter of the Honeynet Project, an international non-profit
organization dedicated to improving the security of the Internet
through research, analysis, and information regarding computer
and network security threats. Mr. Malin currently sits on the
Editorial Board of the International Journal of Digital
Evidence (IJDE) and is a Subject Matter Expert for the
Information Assurance Technology Analysis Center (IATAC)
and Weapon Systems Technology and Information Analysis
Center (WSTIAC).
Mr. Malin is a Certified Ethical Hacker (C|EH) and
Certified Network Defense Architect (C|NDA) as designated by
Certified Network Defense Architect (C|NDA) as designated by
the International Council of Electronic Commerce Consultants
(EC-Council) and a Certified Information Systems Security
Professional (CISSP), as designated by the International
Information Systems Security Certification Consortium
((ISC)2®).
Prior to working for the FBI, Mr. Malin was an Assistant
State Attorney (ASA) and Special Assistant United States
Attorney (SAUSA) in Miami, Florida, where he specialized in
computer crime prosecutions. During his tenure as an ASA, Mr.
Malin was also an Assistant Professorial Lecturer in the
Computer Fraud Investigations Masters Program at George
Washington University.
The techniques, tools, methods, views, and opinions
explained by Cameron Malin are personal to him, and do not
represent those of the United States Department of Justice, the
Federal Bureau of Investigation, or the government of the
United
States of America. Neither the Federal government nor any
7. Federal agency endorses this book or its contents in any way.
Eoghan Casey is founding partner of cmdLabs, author of
the foundational book Digital Evidence and Computer Crime,
and coauthor of Malware Forensics: Investigating and
Analyzing Malicious Code. For over a decade he has
dedicated himself to advancing the practice of incident handling
and digital forensics. He helps client organizations handle
security
breaches and analyzes digital evidence in a wide range of
investigations, including network intrusions with international
scope. He works at the Department of Defense Cyber Crime
scope. He works at the Department of Defense Cyber Crime
Center (DC3) on research and tool development. He has
testified in civil and criminal cases, and has submitted expert
reports and prepared trial exhibits for computer forensic and
cyber-crime cases.
As a Director of Digital Forensics and Investigations at
Stroz Friedberg, he maintained an active docket of cases and
co-managed the firm’s technical operations in the areas of
computer forensics, cyber-crime response, incident handling,
and
electronic discovery. He also spearheaded Stroz Friedberg’s
external and in-house forensic training programs as Director of
Training. Mr. Casey has performed thousands of forensic
acquisitions and examinations, including Windows and UNIX
systems, Enterprise servers, smart phones, cell phones, network
logs, backup tapes, and database systems. He also has extensive
information security experience, as an Information Security
Officer at Yale University and in subsequent consulting work.
He
has performed vulnerability assessments; deployed and
8. maintained intrusion detection systems, firewalls, and public
key
infrastructures; and developed policies, procedures, and
educational programs for a variety of organizations.
Mr. Casey holds a B.S. in Mechanical Engineering from the
University of California at Berkeley, and an M.A. in
Educational
Communication and Technology from New York University. He
conducts research and teaches graduate students at Johns
Hopkins University Information Security Institute, and is
Editor-
in-Chief of Digital Investigation: The International Journal of
in-Chief of Digital Investigation: The International Journal of
Digital Forensics and Incident Response.
James M. Aquilina, Executive Managing Director and
Deputy General Counsel, contributes to the management of
Stroz Friedberg and the handling of its legal affairs, in addition
to
having overall responsibility for the Los Angeles, San
Francisco,
and Seattle offices. He supervises numerous digital forensic,
Internet investigative, and electronic discovery assignments for
government agencies, major law firms, and corporate
management and information systems departments in criminal,
civil, regulatory, and internal corporate matters, including
matters
involving data breach, e-forgery, wiping, mass deletion and
other
forms of spoliation, leaks of confidential information,
computer-
enabled theft of trade secrets, and illegal electronic
9. surveillance.
He has served as a neutral expert and has supervised the court-
appointed forensic examination of digital evidence. Mr.
Aquilina
also has led the development of the firm’s online fraud and
abuse
practice, regularly consulting on the technical and strategic
aspects of initiatives to protect computer networks from
spyware
and other invasive software, malware and malicious code,
online
fraud, and other forms of illicit Internet activity. His deep
knowledge of botnets, distributed denial of service attacks, and
other automated cyber-intrusions enables him to provide
companies with advice and solutions to tackle incidents of
computer fraud and abuse and bolster their infrastructure
protection.
Prior to joining Stroz Friedberg, Mr. Aquilina was an
Assistant U.S. Attorney (AUSA) in the Criminal Division of the
Assistant U.S. Attorney (AUSA) in the Criminal Division of the
U.S. Attorney’s Office for the Central District of California,
where he most recently served in the Cyber and Intellectual
Property Crimes Section. He also served as a member of the
Los Angeles Electronic Crimes Task Force, and as chair of the
Computer Intrusion Working Group, an inter-agency cyber-
crime response organization. As an AUSA, Mr. Aquilina
conducted and supervised investigations and prosecutions of
computer intrusions, extortionate denial of service attacks,
computer and Internet fraud, criminal copyright infringement,
theft of trade secrets, and other abuses involving the theft and
use of personal identity. Among his notable cyber cases, Mr.
Aquilina brought the first U.S. prosecution of malicious botnet
10. activity against a prolific member of the “botmaster
underground”
who sold his armies of infected computers for the purpose of
launching attacks and spamming and used his botnets to
generate
income from the surreptitious installation of adware; tried to
jury
conviction the first criminal copyright infringement case
involving
the use of digital camcording equipment; supervised the
government’s continuing prosecution of Operation Cyberslam,
an international intrusion investigation involving the use of
hired
hackers to launch computer attacks against online business
competitors; and oversaw the collection and analysis of
electronic evidence relating to the prosecution of a local
terrorist
cell operating in Los Angeles.
During his tenure at the U.S. Attorney’s Office, Mr.
Aquilina also served in the Major Frauds and
Terrorism/Organized Crime Sections, where he investigated and
Terrorism/Organized Crime Sections, where he investigated and
tried numerous complex cases, including a major corruption
trial
against an IRS Revenue Officer and public accountants, a fraud
prosecution against the French bank Credit Lyonnais in
connection with the rehabilitation and liquidation of the now
defunct insurer Executive Life, and an extortion and kidnapping
trial against an Armenian organized crime ring. In the wake of
the
September 11, 2001, attacks Mr. Aquilina helped establish and
run the Legal Section of the FBI’s Emergency Operations
11. Center.
Before public service, Mr. Aquilina was an associate at the
law firm Richards, Spears, Kibbe & Orbe in New York, where
he focused on white collar defense work in federal and state
criminal and regulatory matters.
He served as a law clerk to the Honorable Irma E.
Gonzalez, U.S. District Judge, Southern District of California.
He
received his B.A. magna cum laude from Georgetown
University, and his J.D. from the University of California,
Berkeley School of Law, where he was a Richard Erskine
Academic Fellow and served as an Articles Editor and
Executive
Committee Member of the California Law Review.
He currently serves as an Honorary Council Member on
cyber-law issues for the EC-Council, the organization that
provides the C|EH and CHFI (Certified Hacking Forensic
Investigator) certifications to leading security industry
professionals worldwide. Mr. Aquilina is a member of Working
Group 1 of the Sedona Conference, the International
Association of Privacy Professionals, the Southern California
Honeynet Project, the Los Angeles Criminal Justice Inn of
Court, and the Los Angeles County Bar Association. He also
serves on the Board of Directors of the Constitutional Rights
Foundation, a non-profit educational organization dedicated to
providing young people with access to and understanding of law
and the legal process.
Mr. Aquilina is co-author of Malware Forensics:
Investigating and Analyzing Malicious Code.
12. About the Technical Editor
Curtis W. Rose is the President and founder of Curtis W. Rose
& Associates LLC, a specialized services company in Columbia,
Maryland, which provides computer forensics, expert testimony,
litigation support, and computer intrusion response and training
to commercial and government clients. Mr. Rose is an industry-
recognized expert with over 20 years of experience in
investigations, computer forensics, and technical and
information
security.
Mr. Rose was a co-author of Real Digital Forensics:
Computer Security and Incident Response, and was a
contributing author or technical editor for many popular
information security books including Handbook of Digital
Forensics and Investigation; Malware Forensics:
Investigating and Analyzing Malicious Code; SQL Server
Forensic Analysis; Anti-Hacker Toolkit, 1st Edition; Network
Security: The Complete Reference; and Incident Response
and Computer Forensics, 2nd Edition. He has also published
whitepapers on advanced forensic methods and techniques
including “Windows Live Response Volatile Data Collection:
including “Windows Live Response Volatile Data Collection:
Non-Disruptive User and System Memory Forensic Acquisition”
and “Forensic Data Acquisition and Processing Utilizing the
Linux Operating System.”
13. Introduction to Malware
Forensics
Since the publication of Malware Forensics: Investigating and
Analyzing Malicious Code in 2008,1 the number and
complexity of programs developed for malicious and illegal
purposes has grown substantially. The 2011 Symantec Internet
Security Threat Report announced that over 286 million new
threats emerged in the past year.2 Other anti-virus vendors,
including F-Secure, forecast an increase in attacks against
mobile
devices and SCADA systems in 2011.3
In the past, malicious code has been categorized neatly
(e.g., viruses, worms, or Trojan horses) based upon
functionality
and attack vector. Today, malware is often modular and
multifaceted, more of a “blended-threat,” with diverse
functionality and means of propagation. Much of this malware
has been developed to support increasingly organized,
professional computer criminals. Indeed, criminals are making
extensive use of malware to control computers and steal
personal, confidential, or otherwise proprietary information for
personal, confidential, or otherwise proprietary information for
profit. In Operation Trident Breach,4 hundreds of individuals
were arrested for their involvement in digital theft using
malware
such as ZeuS. A thriving gray market ensures that today’s
malware is professionally developed to avoid detection by
14. current AntiVirus programs, thereby remaining valuable and
available to any cyber-savvy criminal group.
Of growing concern is the development of malware to
disrupt power plants and other critical infrastructure through
computers, referred to by some as Cyber Warfare. The StuxNet
malware that emerged in 2010 is a powerful demonstration of
the potential for such attacks.5 Stuxnet was a sophisticated
program that enabled the attackers to alter the operation of
industrial systems, like those in a nuclear reactor, by accessing
programmable logic controllers connected to the target
computers. This type of attack could shut down a power plant or
other components of a society’s critical infrastructure,
potentially
causing significant harm to people in a targeted region.
Foreign governments are funding teams of highly skilled
hackers to develop customized malware to support industrial
and
military espionage.6 The intrusion into Google’s systems
demonstrates the advanced and persistent capabilities of such
attackers.7 These types of well-organized attacks, known as the
“Advanced Persistent Threat (APT),” are designed to maintain
long-term access to an organization’s network in order to steal
information/gather intelligence and are most commonly
associated with espionage. The increasing use of malware to
associated with espionage. The increasing use of malware to
commit espionage and crimes and launch cyber attacks is
compelling more digital investigators to make use of malware
analysis techniques and tools that were previously the domain
of
anti-virus vendors and security researchers.
15. This Field Guide was developed to provide practitioners
with the core knowledge, skills, and tools needed to combat this
growing onslaught against computer systems.
How to Use this Book
This book is intended to be used as a tactical reference
while in the field.
This Field Guide is designed to help digital investigators
identify malware on a computer system, examine malware to
uncover its functionality and purpose, and determine malware’s
impact on a subject system. To further advance malware
analysis
as a forensic discipline, specific methodologies are provided
and
legal considerations are discussed so that digital investigators
can
perform this work in a reliable, repeatable, defensible, and
thoroughly documented manner.
Unlike Malware Forensics: Investigating and
Analyzing Malicious Code, which uses practical case scenarios
throughout the text to demonstrate techniques and associated
tools, this Field Guide strives to be both tactical and practical,
structured in a succinct outline format for use in the field, but
with
cross-references signaled by distinct graphical icons to
supplemental components and online resources for the field and
lab alike.
Supplemental Components
16. The supplementary components used in this Field Guide
include:
• Field Interview Questions: An organized and detailed
interview question and answer form that can be used
while responding to a malicious code incident.
• Field Notes: A structured and detailed note-taking
solution, serving as both guidance and a reminder
checklist while responding in the field or in the lab.
• Pitfalls to Avoid: A succinct list of commonly
encountered mistakes and discussion of how to avoid
these mistakes.
• Tool Box : A resource for the digital investigator to learn
about additional tools that are relevant to the subject
matter discussed in the corresponding substantive
chapter section. The Tool Box icon ( —a wrench and
hammer) is used to notify the reader that additional tool
information is available in the Tool Box appendix at the
end of each chapter, and on the book’s companion Web
site, www.malwarefieldguide.com.
• Selected Readings: A list of relevant supplemental
reading materials relating to topics covered in the
chapter.
17. Investigative Approach
When malware is discovered on a system, the
importance of organized methodology, sound analysis,
steady documentation, and attention to evidence dynamics
all outweigh the severity of any time pressure to
investigate.
Organized Methodology
The Field Guide’s overall methodology for dealing with
malware incidents breaks the investigation into five phases:
Phase 1: Forensic preservation and examination of volatile
data (Chapter 1)
Phase 2: Examination of memory (Chapter 2)
Phase 3: Forensic analysis: examination of hard drives
(Chapter 3)
Phase 4: File profiling of an unknown file (Chapters 5)
Phase 5: Dynamic and static analysis of a malware
specimen (Chapter 6)
18. Within each of these phases, formalized methodologies
and goals are emphasized to help digital investigators
reconstruct
a vivid picture of events surrounding a malware infection and
gain
a detailed understanding of the malware itself. The
methodologies outlined in this book are not intended as a
checklist to be followed blindly; digital investigators always
must
apply critical thinking to what they are observing and adjust
accordingly.
Whenever feasible, investigations involving malware
should extend beyond a single compromised computer, as
malicious code is often placed on the computer via the network,
and most modern malware has network-related functionality.
Discovering other sources of evidence, such as servers the
malware contacts to download components or instructions, can
provide useful information about how malware got on the
computer and what it did once installed.
In addition to systems containing artifacts of compromise,
other network and data sources may prove valuable to your
investigation. Comparing available backup tapes of the
compromised system to the current state of the system, for
example, may uncover additional behavioral attributes of the
malware, tools the attacker left behind, or recoverable files
containing exfiltrated data. Also consider checking centralized
logs from anti-virus agents, reports from system integrity
checking tools like Tripwire, and network level logs.
Network forensics can play a key role in malware
incidents, but this extensive topic is beyond the scope of our
19. incidents, but this extensive topic is beyond the scope of our
Field Guide. One of the author’s earlier works8 covers tools and
techniques for collecting and utilizing various sources of
evidence
on a network that can be useful when investigating a malware
incident, including Intrusion Detection Systems, NetFlow logs,
and network traffic. These logs can show use of specific
exploits,
malware connecting to external IP addresses, and the names of
files being stolen. Although potentially not available prior to
discovery of a problem, logs from network resources
implemented during the investigation may capture meaningful
evidence of ongoing activities.
Remember that well-interviewed network administrators,
system owners, and computer users often help develop the best
picture of what actually occurred.
Finally, as digital investigators are more frequently asked
to conduct malware analysis for investigative purposes that may
lead to the victim’s pursuit of a civil or criminal remedy,
ensuring
the reliability and validity of findings means compliance with
an
oft complicated legal and regulatory landscape. Chapter 4,
although no substitute for obtaining counsel and sound legal
advice, explores some of these concerns and discusses certain
legal requirements or limitations that may govern the
preservation, collection, movement and analysis of data and
digital artifacts uncovered during malware forensic
investigations.
Forensic Soundness
20. The act of collecting data from a live system may cause
changes that a digital investigator will need to justify, given its
impact on other digital evidence.
• For instance, running tools like Helix3 Pro9 from a
removable media device will alter volatile data when
loaded into main memory and create or modify files and
Registry entries on the evidentiary system.
• Similarly, using remote forensic tools necessarily
establishes a network connection, executes instructions
in memory, and makes other alterations on the
evidentiary system.
Purists argue that forensic acquisitions should not alter
the original evidence source in any way. However, traditional
forensic disciplines like DNA analysis suggest that the measure
of forensic soundness does not require that an original be left
unaltered. When samples of biological material are collected,
the
process generally scrapes or smears the original evidence.
Forensic analysis of the evidentiary sample further alters the
original evidence, as DNA tests are destructive. Despite
changes
that occur during both preservation and processing, these
methods are nonetheless considered forensically sound and the
evidence is regularly admitted in legal proceedings.
Some courts consider volatile computer data
21. discoverable, thereby requiring digital investigators to preserve
discoverable, thereby requiring digital investigators to preserve
data on live systems. For example, in Columbia Pictures
Industries v. Bunnell,10 the court held that RAM on a Web
server could contain relevant log data and was therefore within
the scope of discoverable information in the case.
Documentation
One of the keys to forensic soundness is documentation.
• A solid case is built on supporting documentation that
reports on where the evidence originated and how it was
handled.
• From a forensic standpoint, the acquisition process should
change the original evidence as little as possible, and any
changes should be documented and assessed in the
context of the final analytical results.
• Provided both that the acquisition process preserves a
complete and accurate representation of the original
data, and the authenticity and integrity of that
representation can be validated, the acquisition is
generally considered forensically sound.
Documenting the steps taken during an investigation, as
well as the results, will enable others to evaluate or repeat the
22. analysis.
analysis.
• Keep in mind that contemporaneous notes are often
referred to years later to help digital investigators recall
what occurred, what work was conducted, and who
was interviewed, among other things.
• Common forms of documentation include screenshots,
captured network traffic, output from analysis tools, and
notes.
• When preserving volatile data, document the date and
time that data was preserved and which tools were used,
and calculate the MD5 of all output.
• Whenever dealing with computers, it is critical to note the
date and time of the computer, and compare it with a
reliable time source to assess the accuracy of date-time
stamp information associated with the acquired data.
Evidence Dynamics
Unfortunately, digital investigators rarely are presented with
the perfect digital crime scene. Many times the malware or
attacker purposefully has destroyed evidence by deleting logs,
overwriting files, or encrypting incriminating data. Often the
digital investigator is called to an incident only after the victim
has
taken initial steps to remediate—and in the process, has either
23. destroyed critical evidence, or worse, compounded the damage
to the system by invoking additional hostile programs.
This phenomenon is not unique to digital forensics.
Violent crime investigators regularly find that offenders
attempted
to destroy evidence or EMT first responders disturbed the crime
scene while attempting to resuscitate the victim. These types of
situations are sufficiently common to have earned a name
—evidence dynamics.
Evidence dynamics is any influence that changes,
relocates, obscures, or obliterates evidence—regardless of
intent
—between the time evidence is transferred and the time the case
is adjudicated.11
• Evidence dynamics is a particular concern in malware
incidents because there is often critical evidence in
memory that will be lost if not preserved quickly and
properly.
• Digital investigators must live with the reality that they will
rarely have an opportunity to examine a digital crime
scene in its original state and should therefore expect
some anomalies.
• Evidence dynamics creates investigative and legal
challenges, making it more difficult to determine what
occurred, and making it more difficult to prove that the
evidence is authentic and reliable.
• Any conclusions the digital investigator reaches without
knowledge of how evidence was changed may be
24. knowledge of how evidence was changed may be
incorrect, open to criticism in court, or misdirect the
investigation.
• The methodologies and legal discussion provided in this
Field Guide are designed to minimize evidence dynamics
while collecting volatile data from a live system using
tools that can be differentiated from similar utilities
commonly used by intruders.
Forensic Analysis in Malware
Investigations
Malware investigation often involves the preservation
and examination of volatile data; the recovery of deleted
files; and other temporal, functional, and relational kinds
of computer forensic analysis.
Preservation and Examination of Volatile
Data
Investigations involving malicious code rely heavily on
forensic
preservation of volatile data. Because operating a suspect
computer usually changes the system, care must be taken to
minimize the changes made to the system; collect the most
25. volatile data first (aka Order of Volatility, which is described in
detail in RFC 3227: Guidelines for Evidence Collection and
Archiving);12 and thoroughly document all actions taken.
Technically, some of the information collected from a live
system in response to a malware incident is non-volatile. The
following subcategories are provided to clarify the relative
importance of what is being collected from live systems.
• Tier 1 Volatile Data: Critical system details that provide
the investigator with insight as to how the system was
compromised and the nature of the compromise.
compromised and the nature of the compromise.
Examples include logged-in users, active network
connections, and the processes running on the system.
• Tier 2 Volatile Data : Ephemeral information, while
beneficial to the investigation and further illustrative of the
nature and purpose of the compromise and infection, is
not critical to identification of system status and details.
Examples of these data include scheduled tasks and
clipboard contents.
• Tier 1 Non-volatile Data: Reveals the status, settings,
and configuration of the target system, potentially
providing clues as to the method of the compromise and
infection of the system or network. Examples include
registry settings and audit policy.
• Tier 2 Non-volatile Data: Provides historical
information and context, but is not critical to system
status, settings, or configuration analysis. Examples of
these data include system event logs and Web browser
history.
26. The current best practices and associated tools for
preserving and examining volatile data on Windows systems are
covered in Chapter 1 (Malware Incident Response: Volatile
Data Collection and Examination on a Live Windows System)
a nd Chapter 2 (Memory Forensics: Analyzing Physical and
Process Memory Dumps for Malware Artifacts).
Recovering Deleted Files
Specialized forensic tools have been developed to recover
deleted files that are still referenced in the file system. It is also
possible to salvage deleted executables from unallocated space
possible to salvage deleted executables from unallocated space
that are no longer referenced in the file system. One of the most
effective tools for salvaging executables from unallocated space
is “foremost,” as shown in Figure I.1 using the “-t” option,
which
uses internal carving logic rather than simply headers from the
configuration file.
Figure I.1 Using foremost to carve executable files from
unallocated disk space
Other Tools to Consider
27. Data Carving Tools
DataLifter http://www.datalifter.com
Scalpel http://www.digitalforensicssolutions.com/Scalpel/
PhotoRec http://www.cgsecurity.org/wiki/PhotoRec
Temporal, Functional, and Relational
Analysis
One of the primary goals of forensic analysis is to reconstruct
the events surrounding a crime. Three common analysis
techniques that are used in crime reconstruction are temporal,
functional, and relational analysis.
The most common form of temporal analysis is the time
line, but there is such an abundance of temporal information on
computers that the different approaches to analyzing this
information are limited only by our imagination and current
tools.
The goal of functional analysis is to understand what
actions were possible within the environment of the offense,
and
how the malware actually behaves within the environment (as
opposed to what it was capable of doing).
• One effective approach with respect to conducting a
functional analysis to understand how a particular piece
of malware behaves on a compromised system is to load
the forensic duplicate into a virtual environment using a
28. tool like Live View. 13Figure I.2 shows Live View being
used to prepare and load a forensic image into a
virtualized environment.
Figure I.2 Live View taking a forensic duplicate of a Windows
XP system and launching it in VMware
Relational analysis involves studying how components of
malware interact, and how various systems involved in a
malware incident relate to each other.
• For instance, one component of malware may be easily
identified as a downloader for other more critical
components, and may not require further in-depth
analysis.
• Similarly, one compromised system may be the primary
command and control point used by the intruder to
access other infected computers, and may contain the
most useful evidence of the intruder’s activities on the
network as well as information about other compromised
systems.
systems.
Specific applications of these forensic analysis techniques
are covered in Chapter 3, Post-Mortem Forensics: Discovering
and Extracting Malware and Associated Artifacts from Windows
29. Systems.
Applying Forensics to Malware
Forensic analysis of malware requires an
understanding of how an executable is complied, the
difference between static and dynamic linking, and how to
distinguish class from individuating characteristics of
malware.
How an Executable File is Compiled
Before delving into the tools and techniques used to dissect a
malicious executable program, it is important to understand how
source code is compiled, linked, and becomes executable code.
The steps an attacker takes during the course of compiling
malicious code are often items of evidentiary significance
uncovered during the examination of the code.
Think of the compilation of source code into an
executable file like the metamorphosis of caterpillar to
butterfly:
the initial and final products manifest as two totally different
entities, even though they are really one in the same but in
different form.
As illustrated in Figure I.3, when a program is compiled,
As illustrated in Figure I.3, when a program is compiled,
the program’s source code is run through a compiler, a program
30. that translates the programming statements written in a high-
level
language into another form. Once processed through the
compiler, the source code is converted into an object file or
machine code, as it contains a series of instructions not
intended
for human readability, but rather for execution by a computer
processor.14
Figure I.3 Compiling source code into an object file
After the source code is compiled into an object file, a
linker assembles any required libraries and object code together
to produce an executable file that can be run on the host
operating system, as seen in Figure I.4.
Figure I.4 A linker creates an executable file by linking the
required libraries and code to an object file
Often, during compilation, bits of information are added
to the executable file that may be relevant to the overall
investigation. The amount of information present in the
executable is contingent upon how it was compiled by the
attacker. Chapter 5 (File Identification and Profiling: Initial
Analysis of a Suspect File on a Windows System) covers tools
and techniques for unearthing these useful clues during the
course
of your analysis.
31. Static versus Dynamic Linking
In addition to the information added to the executable during
compilation, it is important to examine the suspect program to
determine whether it is a static or a dynamic executable, as this
will significantly impact the contents and size of the file, and in
turn, the evidence you may discover.
• A static executable is compiled with all of the necessary
libraries and code it needs to successfully execute,
making the program “self-contained.”
• Conversely, dynamically linked executables are
dependent upon shared libraries to successfully run. The
required libraries and code needed by the dynamically
linked executable are referred to as dependencies.
• In Windows programs, dependencies are most often
dynamic link libraries (DLLs; .dll extension) that are
imported from the host operating system during
execution.
• File dependencies in Windows executables are identified
in the Import Tables of the file structure. By calling on
the required libraries at runtime, rather than statically
linking them to the code, dynamically linked executables
are smaller and consume less system memory, among
other things.
32. We will discuss how to examine a suspect file to identify
dependencies, and delve into Important Table and file
dependency analysis in greater detail in Chapter 5 (File
Identification and Profiling: Initial Analysis of a Suspect File
on a
Windows System) and Chapter 6 (Analysis of a Malware
Specimen).
Class versus Individuating
Characteristics
It is simply not possible to be familiar with every kind of
malware in all of its various forms.
• Best investigative effort will include a comparison of
unknown malware with known samples, as well as
conducting preliminary analysis designed not just to
identify the specimen, but how best to interpret it.
• Although libraries of malware samples currently exist in
the form of anti-virus programs and hash sets, these
resources are far from comprehensive.
• Individual investigators instead must find known samples
to compare with evidence samples and focus on the
characteristics of files found on the compromised
computer to determine what tools the intruder used.
Further, deeper examination of taxonomic and
phylogenetic relationships between malware specimens
33. may be relevant to classify a target specimen and
determine if it belongs to a particular malware “family.”
Once an exemplar is found that resembles a given piece
of digital evidence, it is possible to classify the sample. John
Thornton describes this process well in “The General
Assumptions and Rationale of Forensic Identification”:15
Assumptions and Rationale of Forensic Identification”:15
In the “identification” mode, the forensic scientist
examines an item of evidence for the presence or
absence of specific characteristics that have been
previously abstracted from authenticated items.
Identifications of this sort are legion, and are
conducted in forensic laboratories so frequently and in
connection with so many different evidence categories
that the forensic scientist is often unaware of the
specific steps that are taken in the process. It is not
necessary that those authenticated items be in hand,
but it is necessary that the forensic scientist have
access to the abstracted information. For example, an
obscure 19th Century Hungarian revolver may be
identified as an obscure 19th Century Hungarian
revolver, even though the forensic scientist has never
actually seen one before and is unlikely ever to see one
again. This is possible because the revolver has been
described adequately in the literature and the literature
is accessible to the scientist. Their validity rests on the
application of established tests which have been
previously determined to be accurate by exhaustive
testing of known standard materials.
34. In the “comparison” mode, the forensic scientist
compares a questioned evidence item with another
item. This second item is a “known item.” The known
item may be a standard reference item which is
maintained by the laboratory for this purpose (e.g. an
maintained by the laboratory for this purpose (e.g. an
authenticated sample of cocaine), or it may be an
exemplar sample which itself is a portion of the
evidence in a case (e.g., a sample of broken glass or
paint from a crime scene). This item must be in hand.
Both questioned and known items are compared,
characteristic by characteristic, until the examiner is
satisfied that the items are sufficiently alike to conclude
that they are related to one another in some manner.
In the comparison mode, the characteristics that
are taken into account may or may not have been
previously established. Whether they have been
previously established and evaluated is determined
primarily by (1) the experience of the examiner, and (2)
how often that type of evidence is encountered. The
forensic scientist must determine the characteristics to
be before a conclusion can be reached. This is more
easily said than achieved, and may require de novo
research in order to come to grips with the significance
of observed characteristics. For example, a forensic
scientist compares a shoe impression from a crime
scene with the shoes of a suspect. Slight irregularities in
the tread design are noted, but the examiner is
uncertain whether those features are truly individual
35. characteristics unique to this shoe, or a mold release
mark common to thousands of shoes produced by this
manufacturer. Problems of this type are common in the
forensic sciences, and are anything but trivial.
forensic sciences, and are anything but trivial.
The source of a piece of malware is itself a unique
characteristic that may differentiate one specimen from another.
• Being able to show that a given sample of digital evidence
originated on a suspect’s computer could be enough to
connect the suspect with the crime.
• The denial of service attack tools that were used to attack
Yahoo! and other large Internet sites, for example,
contained information useful in locating those sources of
attacks.
• As an example, IP addresses and other characteristics
extracted from a distributed denial of service attack tool
are shown in Figure I.5.
Figure I.5 Individuating characteristics in suspect malware
• The sanitized IP addresses at the end indicated where the
command and control servers used by the malware were
located on the Internet, and these command and control
systems may have useful digital evidence on them.
36. Class characteristics may also establish a link between
Class characteristics may also establish a link between
the intruder and the crime scene. For instance, the “t0rn”
installation file contained a username and port number selected
by the intruder shown in Figure I.6.
Figure I.6 Class characteristics in suspect malware
If the same characteristics are found on other
compromised hosts or on a suspect’s computer, these may be
correlated with other evidence to show that the same intruder
was responsible for all of the crimes and that the attacks were
launched from the suspect’s computer. For instance, examining
the computer with IP address 192.168.0.7 used to break into
192.168.0.3 revealed the following traces (Figure I.7) that help
establish a link.
Figure I.7 Examining multiple victim systems for similar
artifacts
Be aware that malware developers continue to find new
ways to undermine forensic analysis. For instance, we have
encountered the following anti-forensic techniques (although
this
list is by no means exhaustive and will certainly develop with
time):
37. • Multicomponent packing and encryption
• Detection of debuggers, disassemblers, and virtual
environments
• Malware that halts when the PEB Debugging Flag is set
• Malware that sets the “Trap Flag” on one of its operating
threads to hinder tracing analysis
• Malware that uses Structured Exception Handling (SEH)
protection to block or misdirect debuggers
• Malware that rewrites error handlers to force a floating
point error to control how the program behaves
A variety of tools and techniques are available to digital
investigators to overcome these anti-forensic measures, many of
which are detailed in this book. Note that advanced anti-
forensic
which are detailed in this book. Note that advanced anti-
forensic
techniques require knowledge and programming skills that are
beyond the scope of this book. More in-depth coverage of
reverse engineering is available in The IDA Pro Book: The
Unofficial Guide to the World’s Most Popular
Disassembler.16 A number of other texts provide details on
programming rootkits and other malware.17
From Malware Analysis to
Malware Forensics
38. The blended malware threat has arrived; the need for
in-depth, verifiable code analysis and formalized
documentation has arisen; a new forensic discipline has
emerged.
In the good old days, digital investigators could discover
and analyze malicious code on computer systems with relative
ease. Trojan horse programs like Back Orifice and SubSeven
and UNIX rootkits like t0rnkit did little to undermine forensic
analysis of the compromised system. Because the majority of
malware functionality was easily observable, there was little
need
for a digital investigator to perform in-depth analysis of the
code.
In many cases, someone in the information security community
would perform a basic functional analysis of a piece of malware
and publish it on the Web.
While the malware of yesteryear neatly fell into distinct
categories based upon functionality and attack vector (viruses,
worms, Trojan horses), today’s malware specimens are often
modular, multifaceted, and known as blended-threats because
of their diverse functionality and means of propagation.18 And,
as computer intruders become more cognizant of digital forensic
techniques, malicious code is increasingly designed to obstruct
meaningful analysis.
By employing techniques that thwart reverse engineering,
encode and conceal network traffic, and minimize the traces left
on file systems, malicious code developers are making both
discovery and forensic analysis more difficult. This trend
started
with kernel loadable rootkits on UNIX and has evolved into
similar concealment methods on Windows systems.
39. Today, various forms of malware are proliferating,
automatically spreading (worm behavior), providing remote
control access (Trojan horse/backdoor behavior), and
sometimes concealing their activities on the compromised host
(rootkit behavior). Furthermore, malware has evolved to
undermine security measures, disabling AntiVirus tools and
bypassing firewalls by connecting from within the network to
external command and control servers.
external command and control servers.
One of the primary reasons that developers of malicious
code are taking such extraordinary measures to protect their
creations is that, once the functionality of malware has been
decoded, digital investigators know what traces and patterns to
look for on the compromised host and in network traffic. In
fact,
the wealth of information that can be extracted from malware
has
made it an integral and indispensable part of computer
intrusion,
identity theft and counterintelligence cases. In many cases, little
evidence remains on the compromised host and the majority of
useful investigative information lies in the malware itself.
The growing importance of malware analysis in digital
investigations, and the increasing sophistication of malicious
code, has driven advances in tools and techniques for
performing
surgery and autopsies on malware. As more investigations rely
on understanding and counteracting malware, the demand for
formalization and supporting documentation has grown. The
results of malware analysis must be accurate and verifiable, to
the point that they can be relied on as evidence in an
40. investigation
or prosecution. As a result, malware analysis has become a
forensic discipline—welcome to the era of malware forensics.
1 http://www.syngress.com/digital-forensics/Malware-
Forensics/.
2
http://www.symantec.com/connect/2011_Internet_Security_Thre
at_Report_Identifies_Risks_For_SMBs
3 http://www.f-secure.com/en_EMEA-Labs/news-
info/threat-summaries/2011/2011_1.html.
4 http://krebsonsecurity.com/tag/operation-trident-breach/.
5 http://www.symantec.com/connect/blogs/stuxnet-
introduces-first-known-rootkit-scada-
devices;http://www.symantec.com/content/en/us/enterprise/medi
a/security_response/whitepapers/w32_stuxnet_dossier.pdf
6 “The New E-spionage Threat,”
http://www.businessweek.com/magazine/content/08_16/b408003
2218430.htm;
“China Accused of Hacking into Heart of Merkel
Administration,”
http://www.timesonline.co.uk/tol/news/world/europe/article233
2130.ece.
7 http://googleblog.blogspot.com/2010/01/new-approach-
to-china.html.
8 Casey, E. (2011). Digital Evidence and Computer Crime,
3rd ed. London: Academic Press.
9 For more information about Helix3 Pro, go to
41. 9 For more information about Helix3 Pro, go to
http://www.e-fense.com/helix3pro.php.
10 2007 U.S. Dist. LEXIS 46364 (C.D. Cal. June 19,
2007).
11 Chisum, W.J., and Turvey, B. (2000). Evidence
Dynamics: Locard’s Exchange Principle and Crime
Reconstruction, Journal of Behavioral Profiling, Vol. 1,
No. 1.
12 http://www.faqs.org/rfcs/rfc3227.html.
13 For more information about Live View, go to
http://liveview.sourceforge.net.
14 For good discussions of the file compilation process and
analysis of binary executable files, see, Jones, K.J.,
Bejtlich, R., and Rose, C.W. (2005). Real Digital
Forensics: Computer Security and Incident Response.
Reading, MA: Addison Wesley; Mandia, K., Prosise,
C., and Pepe, M. (2003). Incident Response and
Computer Forensics, 2nd ed. New York: McGraw-
Hill/Osborne; and Skoudis, E., and Zeltser, L. (2003).
Malware: Fighting Malicious Code. Upper Saddle
River, NJ: Prentice Hall.
15 Thornton, JI. (1997). The General Assumptions and
Rationale of Forensic Identification. In: Faigman, D.L.,
Kaye, D.H., Saks, M.J., and Sanders, J., eds., Modern
Scientific Evidence: The Law and Science of Expert
Testimony, Vol. 2. St. Paul, MN: West Publishing Co.
42. 16 http://nostarch.com/idapro2.htm.
17 See, Hoglund, G., and Butler, J. (2005). Rootkits:
Subverting the Windows Kernel. Reading, MA:
Addison-Wesley; Bluden, B. (2009). The Rootkit
Arsenal: Escape and Evasion in the Dark Corners of the
System. Burlington, MA: Jones & Bartlett Publishers;
Metula, E. (2010). Managed Code Rootkits: Hooking
into Runtime Environments. Burlington, MA: Syngress.
18
http://www.virusbtn.com/resources/glossary/blended_threat.xml
.
Table of Contents
Title
Copyright
Dedication
Acknowledgments
About the Authors
About the Technical Editor
43. Introduction
Chapter 1. Malware Incident Response
Solution
s in this chapter:
Volatile Data Collection and Analysis Tools
Non-Volatile Data Collection and Analysis Tools
Selected Readings
Jurisprudence/RFCS/Technical Specifications