This document discusses tools and techniques for analyzing hackers' tools through static and dynamic analysis. Static analysis involves determining the file type, reviewing strings, performing online research, and reviewing source code if available. Dynamic analysis involves executing the tool in a sandboxed environment and monitoring system calls, file system activity, registry activity, and network traffic to observe the tool's behavior and interactions. A variety of Unix and Windows tools are recommended for tracing activity at different levels, including strace, Filemon, and Regmon. The goal of analysis is to understand the tool's functions and determine how it was used.
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. A Pilot study on methodology and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
The problem of scene classification in surveillance footage is of great importance for ensuring security in public areas. With challenges such as low quality feeds, occlusion, viewpoint variations, background clutter etc. The task is both challenging and error-prone. Therefore it is important to keep the false positives low to maintain a high accuracy of detection. In this paper, we adapt high performing CNN architectures to identify abandoned luggage in a surveillance feed. We explore several CNN based approaches, from Transfer Learning on the Imagenet dataset to one-shot detection using architectures such as YOLOv3. Using network visualization techniques, we gain insight into what the neural network sees and the basis of classification decision. The experiments have been conducted on real world datasets, and highlights the complexity in such classifications. Obtained results indicate that a combination of proposed techniques outperforms the individual approaches.
Author: Utkarsh Contractor
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. A Pilot study on methodology and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
The problem of scene classification in surveillance footage is of great importance for ensuring security in public areas. With challenges such as low quality feeds, occlusion, viewpoint variations, background clutter etc. The task is both challenging and error-prone. Therefore it is important to keep the false positives low to maintain a high accuracy of detection. In this paper, we adapt high performing CNN architectures to identify abandoned luggage in a surveillance feed. We explore several CNN based approaches, from Transfer Learning on the Imagenet dataset to one-shot detection using architectures such as YOLOv3. Using network visualization techniques, we gain insight into what the neural network sees and the basis of classification decision. The experiments have been conducted on real world datasets, and highlights the complexity in such classifications. Obtained results indicate that a combination of proposed techniques outperforms the individual approaches.
Author: Utkarsh Contractor
Introduction to Cyber forensics: Information Security Investigations, Corporate Cyber Forensics, Scientific method in forensic analysis, investigating large scale Data breach cases.
Analyzing Malicious software.
Anti forensics-techniques-for-browsing-artifactsgaurang17
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.
This lecture includes detail about ethical hacking profession, there jobs description, responsibilities duties and skills required to excel in their field.
What is digital evidence? , sources of digital evidence, types of digital evidence, the procedure for collecting digital evidence, records, digital vs physical evidence, controlling contamination.
Introduction to Cyber forensics: Information Security Investigations, Corporate Cyber Forensics, Scientific method in forensic analysis, investigating large scale Data breach cases.
Analyzing Malicious software.
Anti forensics-techniques-for-browsing-artifactsgaurang17
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.
This lecture includes detail about ethical hacking profession, there jobs description, responsibilities duties and skills required to excel in their field.
What is digital evidence? , sources of digital evidence, types of digital evidence, the procedure for collecting digital evidence, records, digital vs physical evidence, controlling contamination.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
System Administrators are often on the front lines of computer security. This guide aims to support System Administrators in finding indications of a system compromise.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
Syed Ubaid Ali Jafri Informed Information Security Students how to conduct black box penetration testing if you do not have prior knowledge about the network environment, Few steps and consideration that should be in mind before conducting black box audit
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
2. AAAAcccckkkknnnnoooowwwwlllleeeeddddggggmmmmeeeennnnttttssss
Material is sourced from:
INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND
EDITION
Authors: CHRIS PROSISE
KEVIN MANDIA
Publisher:
McGraw-Hill/Osborne
New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto
2 Israel Umana - Investigating Hackers' tools
3. THE GOALS TTTHHHEEE GGGOOOAAALLLSSS OOOOFFFF TTTTOOOOOOOOLLLL AAAANNNNAAAALLLLYYYYSSSSIIIISSSS
Prevent similar attacks in the future
Assess an attacker’s skill or threat level
Determine the extent of a compromise
Determine if any damage was done
Determine the number and type of intruders
3
Prepare yourself for a successful subject interview if you
catch the attacker
Determine the attacker’s objectives and goals (specific
targeting versus target of opportunity)
Israel Umana - Investigating Hackers' tools
6. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss
On a Unix system, change to the directory of the suspicious
file and issue the command:
root@conan zap]# ls -al Z
This displays the file attributes and permissions
6
-rwxr--r-- 1 root root 7423 Feb 4 02:00 Z
Israel Umana - Investigating Hackers' tools
7. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd)
root@conan zap]# file Z
This command shows the compilation method used on the
file. Here is a sample output:
Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux),
7
statically inked, stripped
Israel Umana - Investigating Hackers' tools
8. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd)
root@conan zap]# strings –a Z
This command shows if the file is compressed with UPX
Sample output:
--Excerpt--
Linux
8
$Info: This file is packed with the UPX executable packer
http://upx.sf.net$
$
$Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights
Reserved. $
UWVSQR
Israel Umana - Investigating Hackers' tools
11. STATIC ANALYSIS SSSTTTAAATTTIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL
Static analysis is tool analysis performed without actually executing the
rogue code.
It involves the following steps:
1. Determine the type of file
11
2. Review the ASCII and Unicode strings
3. Perform online research
4. Perform source code review
Israel Umana - Investigating Hackers' tools
12. Determining DDDeeettteeerrrmmmiiinnniiinnnggg tttthhhheeee TTTTyyyyppppeeee ooooffff FFFFiiiilllleeee
Common file types include:
Windows 95/98/NT/2000/XP executable or dynamically
linked library (DLL)
Linux a.out/elf/script
Solaris a.out/elf/script
12
DOS 32-bit COFF
DOS 16-bit .com file
DOS 16-bit executable
Atari ST/TT
Israel Umana - Investigating Hackers' tools
13. Using the UUUsssiiinnnggg ttthhheee UUUUnnnniiiixxxx FFFFiiiilllleeee CCCCoooommmmmmmmaaaannnndddd
The standard command for determining a file type on Unix
systems is file.
[root@conan zap] file *
13 Israel Umana - Investigating Hackers' tools
14. UUUUssssiiiinnnngggg tttthhhheeee WWWWiiiinnnnddddoooowwwwssss EEEExxxxeeeettttyyyyppppeeee CCCCoooommmmmmmmaaaannnndddd
The Windows equivalent of the file command is the NT Resource
Kit tool exetype.
It recognizes fewer file types than the file command
14 Israel Umana - Investigating Hackers' tools
15. Reviewing the RRReeevvviiieeewwwiiinnnggg ttthhheee AAAASSSSCCCCIIIIIIII aaaannnndddd UUUUnnnniiiiccccooooddddeeee
SSSSttttrrrriiiinnnnggggssss
Basic static analysis of object code involves examining the
ASCII-formatted strings of the binary file.
The strings command has the following syntax:
strings -a filename
15
This command line will display all ASCII strings contained in
the object code that are four characters or longer.
Israel Umana - Investigating Hackers' tools
16. HHHHeeeexxxx eeeeddddiiiittttoooorrrrssss
When all analysis fails, the hex editor is our friend. However,
when performing static tool analysis, the hex editor is only
slightly better than the strings command. It allows you to see
Unicode and ASCII strings within a file at the same time.
16 Israel Umana - Investigating Hackers' tools
17. Performing PPPeeerrrfffooorrrmmmiiinnnggg OOOOnnnnlllliiiinnnneeee RRRReeeesssseeeeaaaarrrrcccchhhh
Perform online research to determine if the tool is publicly
available on computer security or hacker sites. Compare any
online tools identified with the tool you are analyzing.
If the tool is not publicly available, then you will need to
decompile the file to analyse its functions.
17
Israel Umana - Investigating Hackers' tools
18. Performing PPPeeerrrfffooorrrmmmiiinnnggg SSSSoooouuuurrrrcccceeee CCCCooooddddeeee RRRReeeevvvviiiieeeewwww
With the source code available to you for review, you will be
capable of determining exactly what a rogue program does.
Performing source code review requires working knowledge
of the programming language used to create the tool. Most
popular exploits and tools are found in ANSIC and Microsoft
18
Visual Basic scripting, so you should become familiar with
these formats.
Israel Umana - Investigating Hackers' tools
19. DYNAMIC ANALYSIS DDDYYYNNNAAAMMMIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR
TTTTOOOOOOOOLLLL
In Dynamic analysis, you execute rogue code and interpret its
interaction with the host operating system.
This can be dangerous on your forensic workstation.
Our methodology includes the following tasks:
19
Monitor the time/date stamps to determine what files a tool affects.
Run the program to intercept its system calls.
Perform network monitoring to determine if any network traffic is
generated.
Monitor how Windows-based executables interact with the Registry.
Israel Umana - Investigating Hackers' tools
20. Creating the CCCrrreeeaaatttiiinnnggg ttthhheee SSSSaaaannnnddddbbbbooooxxxx EEEEnnnnvvvviiiirrrroooonnnnmmmmeeeennnntttt
Get the operating system and architecture necessary to
execute the object code properly.
Install VMware on your test system
Turn on the Nonpersistent write option in configuration
settings
20
Make sure that the test system is not connected to the
Internet.
execute rogue code on a closed network
Israel Umana - Investigating Hackers' tools
21. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa UUUUnnnniiiixxxx SSSSyyyysssstttteeeemmmm
Most applications execute in a memory area defined as user
space
prohibited from accessing computer hardware and resources
directly
User applications access these resources by requesting the
21
kernel to perform the operations on its behalf
The user application makes these requests to the kernel via
system calls.
Israel Umana - Investigating Hackers' tools
22. UUUUssssiiiinnnngggg SSSSttttrrrraaaacccceeee
Unix has a tool that traces the use of system calls by an
executed process.
The strace command displays information about file access,
network access, memory access, and many other system calls
that a file makes when it is executed.
22
[root@conan zap]strace -o strace.out ./zapdynamic
This command line will store the interaction between
the zap program and the operating system in a file called
strace.out.
Israel Umana - Investigating Hackers' tools
24. EEEExxxxaaaammmmiiiinnnniiiinnnngggg SSSSttttrrrraaaacccceeee OOOOuuuuttttppppuuuutttt
Look out for the following system calls
The execve call.
The brk system calls are used to allocate memory for the
process.
The mmap calls which map a portion of a file into memory.
24
The fstat call obtains information about the file that is
referenced by the file descriptor
The close system calls are used to release a file descriptor
when the process no longer needs the file or socket
referenced.
Israel Umana - Investigating Hackers' tools
25. Using UUUsssiiinnnggg SSSShhhhoooorrrrttttccccuuuuttttssss wwwwiiiitttthhhh SSSSttttrrrraaaacccceeee
search the strace output file for open, read, write, unlink,
lstat, socket, and close system calls.
A shortcut is to use the option -e trace=file.
To display all interactions with a network device, use the
option -e trace=network
25
More combinations are available in the main page for strace.
save a copy of all the data transferred with the
–e write command
Israel Umana - Investigating Hackers' tools
26. Conducting CCCooonnnddduuuccctttiiinnnggg AAAAnnnnaaaallllyyyyssssiiiissss BBBBeeeeyyyyoooonnnndddd SSSSttttrrrraaaacccceeee
The strace utility cannot do everything
With strace, you cannot determine what the process is doing
once it reads, writes, or receives values from the system
calls.
Need to resort to techniques such as debugging and
26
decompiling.
The debugger will allow you to step through every action a
program takes during its execution.
Israel Umana - Investigating Hackers' tools
27. RRRReeeeccccoooommmmppppiiiilllleeee tttthhhheeee GGGGNNNNUUUU BBBBiiiinnnnuuuuttttiiiillllssss PPPPaaaacccckkkkaaaaggggeeee
The binutils package is installed on most versions of Linux
Built to recognize a small number of object file types.
Tools in the precompiled binutils package may build, view,
disassemble, and otherwise alter a handful of Linux native
executable files
27
Recompile of the package with ./configure –enable-targets=all
Israel Umana - Investigating Hackers' tools
28. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa WWWWiiiinnnnddddoooowwwwssss
SSSSyyyysssstttteeeemmmm
You execute the rogue code and use utilities to watch how
the rogue process interacts with the file system, the Registry,
(APIs), and the operating system.
For dynamic tool analysis of Windows applications, we use
Filemon, Regmon, ListDLLs, Fport, and PsList.
28
Filemon, Regmon, ListDLLs, and PsList can be gotten at:
http://www.sysinternals.com
Israel Umana - Investigating Hackers' tools
29. UUUUssssiiiinnnngggg FFFFiiiilllleeeemmmmoooonnnn
The Filemon utility (from the Sysinternals web site) provides
a wiretap between running processes and the file system.
It intercepts all access and queries a process makes to the file
system.
You can determine all of the files the program reads, writes
29
to, and accesses to perform its unknown activity.
Israel Umana - Investigating Hackers' tools
31. UUUUssssiiiinnnngggg RRRReeeeggggmmmmoooonnnn
Regmon taps a process’s interaction with the Windows
Registry.
Some programs query, enumerate, and close more than 950
Registry keys upon execution.
Regmon allows you to enter filters to focus your analysis on
relevant entries.
31
It provides immediate access to the Registry Editor (regedit).
Provides a simple interface to monitor which programs write
startup entries in the Registry and which programs query the
network hardware in order to generate or receive network
traffic.
Israel Umana - Investigating Hackers' tools
33. UUUUssssiiiinnnngggg LLLLiiiissssttttDDDDLLLLLLLLssss
ListDLLs is available in the NT/2000 Resource Kit
Shows all of the DLLs needed by a process.
It enumerates the full pathnames of the DLLs loaded by the
process.
ListDLLs is helpful for detecting applications that have been
33
modified (injected) with extra functionality.
Viewing which DLLs the program is
using may allow you to detect if the application is interacting
with the network services at an API level or if it is attempting
to bypass them.
Works on programs that are currently running
Israel Umana - Investigating Hackers' tools
34. UUUUssssiiiinnnngggg FFFFppppoooorrrrtttt aaaannnndddd PPPPssssLLLLiiiisssstttt
Fport and PsList are critical tools for dynamic analysis on a
Windows system.
Fport should be used prior to and after executing a rogue
process to determine if the rogue process opened any
network sockets.
34
PsList is useful to determine if a process changes its process
name after execution.
Israel Umana - Investigating Hackers' tools
37. Conducting Further CCCooonnnddduuuccctttiiinnnggg FFFuuurrrttthhheeerrr AAAAnnnnaaaallllyyyyssssiiiissss oooonnnn
WWWWiiiinnnnddddoooowwwwssss
The tools described in this chapter provide the first level of
analysis.
more comprehensive techniques are available
Decompiling and debugging are the next steps.
IDA Pro (an interactive disassembler) and SoftICE (a source-
37
source-level
debugger).
Can be obtained at:
IDA Pro: http://www.datarescue.com
SoftICE:
http://www.compuware.com/products/devpartner/
softice
Israel Umana - Investigating Hackers' tools