1 / 9

Chapter 6: Live Analysis Techniques

Chapter 6: Live Analysis Techniques. Mastering Windows Network Forensics and Investigation. Chapter Topics:. Prepare a toolkit to acquire RAM from a live system Identify the pros and cons of performing a live analysis. Finding Evidence in Memory.

colby-church
Download Presentation

Chapter 6: Live Analysis Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6: Live Analysis Techniques Mastering Windows Network Forensics and Investigation

  2. Chapter Topics: • Prepare a toolkit to acquire RAM from a live system • Identify the pros and cons of performing a live analysis

  3. Finding Evidence in Memory • Hackers attempt to hide evidence of their activities • The traditional focus of of LE forensics is the hard drive of the victim • Hackers have designed their toolsets around this philosophy by using code that will only execute in RAM • DLL injections • Hooks

  4. IR Considerations • Pulling the plug will remove invaluable data from RAM • Keep interaction with the target to a bare minimum • Bring your own trusted tools! • Think before you act…then think again • Document everything

  5. Creating a Live-Analysis Toolkit • Think about the reason for performing every action • Use only trusted and validated analysis tools • Request intimate details about target system • OS? • Architecture? (32 vs 64 bit?) • Assume you only have but one shot to capture volatile data correctly

  6. RAM Acquisition Tools • DumpIt • Creates binary dump • Supports 32/64-bit • CLI • WinEN • Creates EnCase evidence file • Supports 32/64-bit • CLI • FTK Imager Lite • Creates binary dump • Supports 32/64-bit • GUI-based

  7. RAM Analysis Tools • Volatility 2.0 • Open source RAM analysis tool • Active network connections • Running processes • Loaded DLLs • Memoryze • Consider mounted encrypted volumes

  8. Monitoring Communications • Network Sniffer • Analyze which IP’s are engaged with victim systems • Which ports are being used • Network packet payload

  9. Monitoring Communications • Network Port Scanner • Analyze which ports are open on the network • Determine what services are legitimate • Open Source Tools • Nmap

More Related