null Delhi Chapter Meet - January 2014

2. Preparation
Lessons
learnt
Identification
and Analysis
Recovery
Containment
Eradication

3. 






Elevated cmd and WMIC
tasklist /v /fo csv
tasklist /svc /fo csv
netstat -ab
dir /a/s /tc c:
wmic startup list full /format:csv
wmic process list full /format:csv

4. 







Memory image
Hibernation file
Page file
Registry Hives
Event Logs
$MFT
Contents of Prefetch folder
File listing with MD5 hashes

5. Download SANS SIFT Workstation 2.14 from
http://computerforensics.sans.org/community/downloads
(SANS SIFT Workstation 3 to be released soon)

6. 




VMware Appliance
Cross compatibility between Linux and
Windows
A portable lab workstation you can use for
your investigations
Forensic tools preconfigured
Option to install stand-alone via (.iso) or use
via VMware Player/Workstation

7. 





You have to learn it like you do any tool
Powerful command line capability
It is a tool to accomplish deep forensic
analysis
Memory Analysis
File System Analysis
Timeline Analysis
And many more…..

8. Login "sansforensics"
 Password "forensics"
 $ sudo su
Use to elevate privileges to root while
mounting disk images.


10. 
•
•
•
•
File System Support
Windows (MSDOS,
FAT, VFAT, NTFS)
MAC (HFS)
Solaris (UFS)
Linux (EXT2/3)

•
•
•
Evidence Image
Support
Expert Witness
(E01)
RAW (dd)
Advanced Forensic
Format (AFF)

11. /usr/local/src
• Source files for Autopsy, The Sleuth kit
and other tools
/usr/local/bin
• Location of the forensic pre-compiled
binaries
/cases
• Location of the images that were seized
from your compromised system
/mnt
• Location of the mount points for the file
system images

12. RegRipper
YARU
deleted.pl
exiftool
Libpff
• Automated Registry Analysis
• Registry Analyzer
• Recover deleted registry keys
• Parser for metadata
• .pst mail examination tool

13. Elevate your privileges
 Change directories to /cases/<case directory>
 Mount .E01 image files in the /mnt/ewf directory
$ Mount_ewf.py <****.E01> /mnt/ewf/
 Mount the raw image found in the /mnt/ewf
directory on the mnt/windows_mount/ directory
$ Mount –o
ro,loop,show_sys_files,streams_interface=windows
<image evidence directory> /mnt/windows_mount


14. 1. Identify Rouge processes
2. Analyze process DLLs and handles
3. Review Network Artifacts
4. Look for evidence of code injection
5. Check for signs of rootkit
6. Dump suspicious processes and drivers

15. 




Vol.py –f <image> <plugin> -profile=<profile>
Export
VOLATILITY_LOCATION=file://<filepath>
Export VOLATILITY_PROFILE=<profile>
Vol.py –f <image format 1> imagecopy –o
<imageformat1.img>
cmdscan, consoles, connections, connscan,
netscan,

16. 



https://code.google.com/p/volatility/wiki/
https://http://computerforensics.sans.org/community
SANS live classes and webcasts
File System Forensic Analysis by Brian Carrier