SlideShare una empresa de Scribd logo

Bear Tracks: Finding Malware Clues

Descargar como PPTX, PDF
CTIN
CTIN
Tecnología
1 de 58
If a Bear Breaks into Your Computer, and No One Is There to See It, Does It Leave A Clue? Incident Response, Forensics, and Looking for Bear Tracks. Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations March 29, 2011
About This Presentation Overview Some forensic fundamentals. Dissecting Windows 7 for malware, compromise and intrusions.
What is Digital Forensics? The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner. To collect admissible evidence. Authentication. Complete. To answer questions about data or files. Metadata. Context. To determine what has occurred on a system.
Digital Forensics in the Enterprise At least two general types of forensics work: Content focused. Find email, documents, graphics, or other types of files that match some criteria. eDiscoveryand litigation support. Activity focused. Determine what somebody or something did on a computer system. Unauthorized activity. Malware. Compromise or intrusion.
Digital Forensics in the Enterprise When trust is questioned. Can this _______ still be trusted?
Forensics from XP to Vista ,[object Object]
Default settings-NTFS, change journal.
Recycle Bin, no info2.
Built in volume and disk wiping.
SuperFetch & prefetch files.
Profile based thumbcaches.*
Office file format changes .docx, .pptx, .xlsx.
New Office files—InfoPath, Grove, OneNote.
EFS encrypted pagefile.
Windows 2008 Hyper-V.
Built in Defender.
Changed location of boot sector.
BitLocker, unlocking, imaging, preservation.
EXFAT. Transactional NTFS.
Event Logging changed.
New format-.evtx.
New system for collecting and displaying events.
New security event numbering.
New directory tree for account profiles.
Symbolic links. “Virtual” folders.
“Virtual” registries.
Volume Shadow Copies and difference files.
User Account Control.
Enforced Signed Drivers x64.,[object Object]
Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible.
BitLocker To Go.
Virtual Hard drives—Boot from, mount as “Disks.”
Virtual PC—integrated into the OS.
XP Mode.
Flash Media Enhancements.
Libraries, Sticky Notes, Jump Lists.
Service and Driver triggers.
Fewer Services on default startup.
I.E. 8, InPrivate Browsing, Tab and Session Recovery.
Changes in Volume Shadow Copy behavior.
New registry-like files.
Different WebDAV.
More x64 clients. X64 Windows 2008 R2 (server).
Changes in Hyper-V.
Office 2010 file format changes—OneNote.
Thumbnail Cache.
Virtual Servers, thin clients.
Direct Access (IPSec).
Windows Search.,[object Object]
Forensics in Incident Response Incident response immediate goals: Technical assessment—what happened, when, how, etc.? Risk assessment—what systems or data at risk? Containment. Incident Response end goals: Remediation. Compliance. Prevention. Prosecution or litigation.
Forensics in Incident Response Applications RAM Processes Services Drivers Ports Network OS Artifacts File Systems Fvevol.sys Partition & Volume Managers Disk
Forensics in Incident Response Digital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how. Memory dump. Processes. Services. Drivers. Logged on users. Ports. System reports on itself.
Forensics in Incident Response Digital autopsy—dissecting an offline Windows system to determine what happened, when, and how. File systems and file metadata. File signatures. Registry. Shell: links, jump lists. Wininet. Prefetch. Shadow Copies. Event and other logs.
Forensics in Incident Response Digital forensics heuristics. Any action on a computer changes something. Memory—programs, drivers, data, etc. Media—files and metadata. This includes the actions of incident responders. Not all changes persist, and those that do don’t have to persist forever. Data preservation should generally follow the order of volatility. There are rules governing the ways things work on any platform. Win32 APIs, NTFS, Security, etc. These rules generate artifacts—indicators of compromise.
Forensics in Incident Response.
Forensics in Incident Response Digital forensics practical heuristics. Compare memory dump to Windows own self-reporting. Compare memory dump and self-reports to on disk sources. Identify unknown files, mismatched files, and packed executables. Examine ASEPs for unexpected items. Examine Shell and Wininet data for indicators and correlations. Examine prefetch files for program launches and dependencies. Difference shadow copies to identify hidden files and infection times. Review event and other logs, particularly those reporting on states of applications and system.
Forensics in Incident Response Memory dumps Sometimes, it is easy. All Microsoft code should have symbols.* 8d793000 8d79d000   nsiproxy   (private pdb symbols)  C:ebuggersymsiproxy.pdb05F47CD56124B77BD71E3DFB669D4FF1siproxy.pdb 8d79d000 8d79e680   msvmmouf   (private pdb symbols)  C:ebuggersymsvmmouf.pdb234775836E14C2B869818BF740FE8DE1svmmouf.pdb 8d79f000 8d7a9000   mssmbios   (private pdb symbols)  C:ebuggersymssmbios.pdb9453B9B745D45DE974BA45D910B78481ssmbios.pdb 8d7a9000 8d7ab980   mrxnet     (no symbols)                               8d7ac000 8d7b0d80   mrxcls     (no symbols)                               8d7b1000 8d7bd000   discache   (private pdb symbols)  C:ebuggersymiscache.pdbF3066C30EA34CC381D3006454C11BD11iscache.pdb 8d7bd000 8d7ca000   CompositeBus (private pdb symbols)  C:ebuggersymompositeBus.pdb0E80E78F49541FDB4CF0AEB667653381ompositeBus.pdb 8d7ca000 8d7dc000   AgileVpn   (private pdb symbols)  C:ebuggersymgileVpn.pdb9ABC733237047E898B7404203D52EDE1gileVpn.pdb 8d7dc000 8d7f4000   rasl2tp    (private pdb symbols)  C:ebuggersymasl2tp.pdbF6760EF4A3149DC9C430CE8A37585B12asl2tp.pdb http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf

Recomendados

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 

Recomendados

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 

Más contenido relacionado

La actualidad más candente

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 

La actualidad más candente (20)

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 

Destacado

Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
F Database
F DatabaseF Database
F DatabaseCTIN
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Edrm
EdrmEdrm
EdrmCTIN
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensicsMarco Alamanni
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management PresentationSgtMasterGunz
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGEduardo Chavarro
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Mark Matienzo
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 

Destacado (20)

Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
F Database
F DatabaseF Database
F Database
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Edrm
EdrmEdrm
Edrm
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management Presentation
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Citrix
CitrixCitrix
Citrix
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Raidprep
RaidprepRaidprep
Raidprep
 

Similar a Bear Tracks: Finding Malware Clues

Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short ArticleAnton Chuvakin
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Studio Fiorenzi Security & Forensics
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandDavid O'Dowd
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011John Bambenek
 

Similar a Bear Tracks: Finding Malware Clues (20)

Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short Article
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Regan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&akRegan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&ak
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 

Más de CTIN

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Nra
NraNra
NraCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking OverviewCTIN
 
M Compevid
M CompevidM Compevid
M CompevidCTIN
 
L Scope
L ScopeL Scope
L ScopeCTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In ComputingCTIN
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsCTIN
 
K Ai
K AiK Ai
K AiCTIN
 
July132000
July132000July132000
July132000CTIN
 
Investigative Team
Investigative TeamInvestigative Team
Investigative TeamCTIN
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To UnixCTIN
 

Más de CTIN (18)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
 
K Ai
K AiK Ai
K Ai
 
July132000
July132000July132000
July132000
 
Investigative Team
Investigative TeamInvestigative Team
Investigative Team
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 

Último

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Último (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Bear Tracks: Finding Malware Clues

  • 1.
  • 2. If a Bear Breaks into Your Computer, and No One Is There to See It, Does It Leave A Clue? Incident Response, Forensics, and Looking for Bear Tracks. Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations March 29, 2011
  • 3. About This Presentation Overview Some forensic fundamentals. Dissecting Windows 7 for malware, compromise and intrusions.
  • 4. What is Digital Forensics? The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner. To collect admissible evidence. Authentication. Complete. To answer questions about data or files. Metadata. Context. To determine what has occurred on a system.
  • 5. Digital Forensics in the Enterprise At least two general types of forensics work: Content focused. Find email, documents, graphics, or other types of files that match some criteria. eDiscoveryand litigation support. Activity focused. Determine what somebody or something did on a computer system. Unauthorized activity. Malware. Compromise or intrusion.
  • 6. Digital Forensics in the Enterprise When trust is questioned. Can this _______ still be trusted?
  • 7.
  • 10. Built in volume and disk wiping.
  • 13. Office file format changes .docx, .pptx, .xlsx.
  • 18. Changed location of boot sector.
  • 23. New system for collecting and displaying events.
  • 24. New security event numbering.
  • 25. New directory tree for account profiles.
  • 28. Volume Shadow Copies and difference files.
  • 30.
  • 31. Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible.
  • 33. Virtual Hard drives—Boot from, mount as “Disks.”
  • 38. Service and Driver triggers.
  • 39. Fewer Services on default startup.
  • 40. I.E. 8, InPrivate Browsing, Tab and Session Recovery.
  • 41. Changes in Volume Shadow Copy behavior.
  • 44. More x64 clients. X64 Windows 2008 R2 (server).
  • 46. Office 2010 file format changes—OneNote.
  • 50.
  • 51. Forensics in Incident Response Incident response immediate goals: Technical assessment—what happened, when, how, etc.? Risk assessment—what systems or data at risk? Containment. Incident Response end goals: Remediation. Compliance. Prevention. Prosecution or litigation.
  • 52. Forensics in Incident Response Applications RAM Processes Services Drivers Ports Network OS Artifacts File Systems Fvevol.sys Partition & Volume Managers Disk
  • 53. Forensics in Incident Response Digital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how. Memory dump. Processes. Services. Drivers. Logged on users. Ports. System reports on itself.
  • 54. Forensics in Incident Response Digital autopsy—dissecting an offline Windows system to determine what happened, when, and how. File systems and file metadata. File signatures. Registry. Shell: links, jump lists. Wininet. Prefetch. Shadow Copies. Event and other logs.
  • 55. Forensics in Incident Response Digital forensics heuristics. Any action on a computer changes something. Memory—programs, drivers, data, etc. Media—files and metadata. This includes the actions of incident responders. Not all changes persist, and those that do don’t have to persist forever. Data preservation should generally follow the order of volatility. There are rules governing the ways things work on any platform. Win32 APIs, NTFS, Security, etc. These rules generate artifacts—indicators of compromise.
  • 57. Forensics in Incident Response Digital forensics practical heuristics. Compare memory dump to Windows own self-reporting. Compare memory dump and self-reports to on disk sources. Identify unknown files, mismatched files, and packed executables. Examine ASEPs for unexpected items. Examine Shell and Wininet data for indicators and correlations. Examine prefetch files for program launches and dependencies. Difference shadow copies to identify hidden files and infection times. Review event and other logs, particularly those reporting on states of applications and system.
  • 58. Forensics in Incident Response Memory dumps Sometimes, it is easy. All Microsoft code should have symbols.* 8d793000 8d79d000   nsiproxy   (private pdb symbols)  C:ebuggersymsiproxy.pdb05F47CD56124B77BD71E3DFB669D4FF1siproxy.pdb 8d79d000 8d79e680   msvmmouf   (private pdb symbols)  C:ebuggersymsvmmouf.pdb234775836E14C2B869818BF740FE8DE1svmmouf.pdb 8d79f000 8d7a9000   mssmbios   (private pdb symbols)  C:ebuggersymssmbios.pdb9453B9B745D45DE974BA45D910B78481ssmbios.pdb 8d7a9000 8d7ab980   mrxnet     (no symbols)                               8d7ac000 8d7b0d80   mrxcls     (no symbols)                               8d7b1000 8d7bd000   discache   (private pdb symbols)  C:ebuggersymiscache.pdbF3066C30EA34CC381D3006454C11BD11iscache.pdb 8d7bd000 8d7ca000   CompositeBus (private pdb symbols)  C:ebuggersymompositeBus.pdb0E80E78F49541FDB4CF0AEB667653381ompositeBus.pdb 8d7ca000 8d7dc000   AgileVpn   (private pdb symbols)  C:ebuggersymgileVpn.pdb9ABC733237047E898B7404203D52EDE1gileVpn.pdb 8d7dc000 8d7f4000   rasl2tp    (private pdb symbols)  C:ebuggersymasl2tp.pdbF6760EF4A3149DC9C430CE8A37585B12asl2tp.pdb http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf
  • 59. Forensics in Incident Response Compare memory dumps to self-reported information.
  • 60. Forensics in Incident Response Compare memory dumps and self-reported information to on disk sources.
  • 61. Forensics in Incident Response Memory dumps and self-reported information should be examined for the unknown. Unknown processes. Unknown services. Unknown drivers. Unknown ports. Etc. Which unfortunately begs the question, what is unknown? Good to build familiarity. Baseline.
  • 62. Forensics in Incident Response To the media: Identify and exclude known good files. Industry standard: MD5 hash values of the operating system and application files.
  • 63. Forensics in Incident Response Known good file hashes? http://www.nsrl.nist.gov/ Make as needed, based on standard load images, patched and updated as needed. Pre-incident shadow copies. (Technically, not “known good,” but good enough to use for finding new, potentially bad files.)
  • 64. Forensics in Incident Response Recovery and scan of all files. Undelete. Check the file signatures for all files to identify mismatched signatures. Also known as a file signature/extension comparison. Scan for binaries with “packed” code.
  • 65. Forensics in Incident Response Using file system date and time information: Follow an event of interest (this is the starting point). Sort on created dates and times. This is when files came to exist on the media. Sort on last modified dates and times. This is when files where last written to. Sort on entry modified (NTFS) for any changes in metadata or named streams. Correlate—for each important finding, examine contemporaneous events. Especially important on exploits and downloaders. Cross check date and time of significant files by comparing date and time from standard attributes to those in the name attribute. Corroborate event times with corresponding events. E.g., event logs, internal metadata, shadow copies. Build a time line.
  • 73. Forensics in Incident Response Examine the registry for ASEPS: Auto-start Extensibility Points. http://www.usenix.org/event/lisa04/tech/full_papers/wang/wang.pdf Autoruns, either online or offline. http://technet.microsoft.com/en-us/sysinternals/bb963902
  • 74. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Registry “MRU” lists.
  • 75. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Registry, UserAssist. Ntuser.dat. Usrclass.dat.
  • 76. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: Link files (also known as shortcuts).
  • 77. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: A malformed link file.
  • 78. Forensics in Incident Response The link points to a file, ~wtr4141.tmp, which is this:
  • 79. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: Jump lists.
  • 80. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: Jump lists.
  • 81. Forensics in Incident Response Wininet: Internet history. Can expose browser exploit URLs and downloads. Can indicate intruder downloads. First appearance of intruder tools in the history and cache for the Default account. Multiple data sources: Internet history files (index.dat), and all fragments or deleted history files. Browser cache folders. Recovery files. Jump lists.
  • 83. Forensics in Incident Response Cache folders
  • 84. Forensics in Incident Response Recovery folders
  • 85. Forensics in Incident Response Recover file
  • 86. Forensics in Incident Response Records of programs being run, and their dependencies, are found in prefetch files. indowsrefetch The existence of a prefetch file indicates that the application named by the prefetch file was run. The creation date of a prefetch file can indicate when the named application was first run. The modification date of a prefetch file can indicate when the named application was last run. Prefetch file internals show last launch time, number of times run, and files called during launch.
  • 88. Forensics in Incident Response Prefetch internals parsed.
  • 89. Forensics in Incident Response Shadow copies. Snapshot of a volume at point in time. Can show files added, modified, or deleted over time.
  • 90. Forensics in Incident Response Shadow copies. Can be mounted as volumes, for scanning. The command string below will mount expose each shadow copy on a volume as a symbolic link. This command will follow each symbolic link and produce a file list of all files in the shadow copy. for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=quot; %g in ("%f") do @mklink /d %SYSTEMDRIVE%g %fbr />for /f "tokens=1" %f in ('dir C:/B /A:D ^| findstr HarddiskVolumeShadowCopy') do @dir C:f /B /O:N /S > E:f-fileList.txt
  • 93. Forensics in Incident Response Differencing shadow copies file lists makes malware files stand out:
  • 94. Forensics in Incident Response Events and other logs. Often not the best entry point into an investigation. System event log can show problems impacting system components. Unexpected shutdowns Port reassignment. Application logs can show problems impacting various applications. Unexpected terminations. Errors and failures. Value of the security event log depends on auditing policy settings. Can be noisy.
  • 95. Forensics in Incident Response Events and other logs.
  • 96. Forensics in Incident Response Events and other logs.
  • 97. Forensics in Incident Response Events and other logs.
  • 98. Q&A
  • 99. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.