Acknowledgments About the Authors

Size: px

Start display at page:

Download "Acknowledgments About the Authors"

Marshall Tate
5 years ago
Views:

1 Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current Network Connections p. 6 Open TCP or UDP Ports p. 9 Executables Opening TCP or UDP Ports p. 10 Cached NetBIOS Name Tables p. 12 Users Currently Logged On p. 13 The Internal Routing Table p. 14 Running Processes p. 15 Running Services p. 17 Scheduled Jobs p. 18 Open Files p. 19 Process Memory Dumps p. 20 Full System Memory Dumps p. 26 Analyzing Nonvolatile Data p. 29 System Version and Patch Level p. 30 File System Time and Date Stamps p. 31 Registry Data p. 35 The Auditing Policy p. 36 A History of Logins p. 37 System Event Logs p. 37 User Accounts p. 38 IIS Logs p. 38 Suspicious Files p. 42 Putting It All Together p. 43 Unix Live Response p. 47 Analyzing Volatile Data p. 48 The System Date and Time p. 49 Current Network Connections p. 49 Open TCP or UDP Ports p. 50 Executables Opening TCP or UDP Ports p. 51 Running Processes p. 53 Open Files p. 55 The Internal Routing Table p. 56 Loaded Kernel Modules p. 57

2 Mounted File Systems p. 57 Analyzing Nonvolatile Data p. 58 System Version and Patch Level p. 58 File System Time and Date Stamps p. 59 File System MD5 Checksum Values p. 61 Users Currently Logged On p. 62 A History of Logins p. 62 Syslog Logs p. 64 User Accounts p. 66 User History Files p. 67 Suspicious Files p. 69 Putting It All Together p. 70 Network-Based Forensics p. 73 Collecting Network-Based Evidence p. 75 Full Content Data p. 76 Session Data p. 78 Alert Data p. 79 Statistical Data p. 80 Putting NBE to Work p. 81 A Standard Intrusion Scenario p. 82 Using Full Content Data p. 84 Using Session Data p. 85 Using Alert Data p. 86 Using Statistical Data p. 87 Data Collection p. 88 Accessing the Wire p. 88 Collecting and Storing Traffic p. 91 Full Content Data Tools p. 91 Session Data Tools p. 92 Alert Data Tools p. 93 Statistical Data Tools p. 93 Putting It All Together p. 93 Analyzing Network-Based Evidence for a Windows Intrusion p. 95 Statistical Data: First Trace p. 96 Alert Data: First Trace p. 97 Session Data: First Trace p. 102 Full Content Data: First Trace p. 106 Statistical Data: Second Trace p. 108 Alert Data: Second Trace p. 110 Session Data: Second Trace p. 114 Full Content Data: Second Trace p. 116

3 Putting It All Together p. 127 Analyzing Network-Based Evidence for a Unix Intrusion p. 129 Statistical Data p. 130 Alert Data p. 131 Session Data p. 135 Full Content Data p. 140 Putting It All Together p. 159 Acquiring a Forensic Duplication p. 161 Before You Jump Right In... p. 163 Preparing for a Forensic Duplication p. 163 Document, Document, Document! p. 166 Commercial-Based Forensic Duplications p. 171 The Read-Only IDE-to-Firewire Device p. 171 Acquiring a Forensic Duplication with EnCase p. 175 Acquiring a Forensic Duplication with FTK p. 181 Noncommercial-Based Forensic Duplications p. 187 DD p. 187 Creating an Evidence File p. 188 Creating an Evidence Hard Drive p. 192 DD Rescue p. 193 DCFLDD p. 195 NED-The Open Source Network Evidence Duplicator p. 197 Forensic Analysis Techniques p. 205 Common Forensic Analysis Techniques p. 207 Recovering Deleted Files p. 207 Open Source Solutions p. 207 Commercial Solutions p. 214 Production of Time Stamps and Other Metadata for Files p. 218 Open Source Solutions p. 218 Commercial Solutions p. 221 Removing Known Files p. 225 Open Source Solutions p. 225 Commercial Solutions p. 230 File Signatures and Electronic Discovery p. 233 Open Source Solutions p. 233 Commercial Solutions p. 236 String Searching and File Fragments p. 238 Open Source Solutions p. 238 Commercial Solutions p. 244 Web Browsing Activity Reconstruction p. 247 Commercial Forensic Tools p. 248

4 Open Source Solutions p. 260 Pasco-An Open Source Web Browsing Investigation Tool p. 260 Galleta-An Open Source IE Cookie Investigation Tool p. 268 Putting It All Together p Activity Reconstruction p. 273 Commercial Forensic Tools p. 273 Open Source Solutions p. 275 Outlook Express p. 275 Microsoft Windows Registry Reconstruction p. 291 Identifying Installed Programs p. 292 Identifying "Most Recently Used" Documents p. 296 Forensic Tool Analysis: An Introduction to Using Linux for Analyzing Files of Unknown Origin p. 301 Case Background p. 302 A Hands-On Introduction to Forensic Tool Analysis: Hello World! p. 303 Static Analysis of Hello p. 305 Dynamic Analysis of Hello p. 335 Putting It All Together p. 343 Forensic Tool Analysis: A Hands-On Analysis of the Linux File aio p. 345 Static Analysis of aio p. 346 md5sum p. 346 ls -al p. 346 file p. 347 strings p. 347 Hexadecimal Viewer p. 348 nm p. 349 ldd p. 350 readelf p. 350 objdump p. 352 Dynamic Analysis of aio p. 353 System Call Trace (strace) p. 353 GNU Debugger p. 358 Recovering the Uncompressed aio Binary p. 364 Recovery by Identifying the Packer That Was Used p. 374 Static Analysis of the Recovered Uncompressed Binary p. 377 Dynamic Analysis of the Recovered Uncompressed Binary p. 397 md5sum p. 408 Putting It All Together p. 408 Forensic Tool Analysis: Analyzing Files of Unknown Origin (Windows) p. 409 Case Background p. 409 A Hands-On Introduction to Forensic Tool Analysis: Hello World! p. 410 Static Analysis of hello.exe p. 415

5 Dynamic Analysis of hello.exe p. 438 Summary of hello.exe p. 444 A Hands-On Forensic Tool Analysis: sak.exe p. 444 Static Analysis of sak.exe p. 444 Dynamic Analysis of sak.exe p. 457 Putting It All Together p. 479 Creating a Complete Forensic Tool Kit p. 481 Building the Ultimate Response CD p. 483 Preparing the Windows Live Response Tools p. 483 Preparing the Unix Live Response Tools p. 492 Forensic Duplication Tools p. 500 DCFLDD p. 501 NED p. 502 Making Your CD-ROM a Bootable Environment p. 503 Knoppix-A Linux Distribution on a CD-ROM p. 503 The Knoppix CD-Rom p. 504 Mobile Device Forensics p. 513 Forensic Duplication and Analysis of Personal Digital Assistants p. 515 Case Background p. 515 Forensic Acquisition Utilizing EnCase p. 517 Initial Setup p. 518 EnCase p. 522 Forensic Acquisition Utilizing Paraben's PDA Seizure p. 531 Forensic Acquisition Utilizing Palm Debugger p. 540 Forensic Analysis of the Palm IIIc p. 556 Forensic Analysis of the HP ipaq Pocket PC 2003 p. 559 Forensic Analysis of the Palm m505 p. 563 Putting It All Together p. 570 Forensic Duplication of USB and Compact Flash Memory Devices p. 571 Duplicating USB Devices p. 571 Duplicating Compact Flash Cards p. 575 Forensic Analysis of USB and Compact Flash Memory Devices p. 577 USB Memory Devices p. 577 Open Source Solutions p. 578 Commercial Solutions p. 585 Compact Flash Cards p. 588 Open Source Solutions p. 589 Commercial Solutions p. 593 Online-Based Forensics p. 595 Tracing p. 597 Hotmail p. 597

6 Yahoo! p. 600 Netscape p. 601 Other Services p. 603 Anonymous R ers p. 605 Domain Name Ownership p. 609 Importing the TLD Zone Files into Postgres p. 610 Translating FQDNs to IP Addresses p. 616 Searching for Domains p. 619 Searching for DNSs p. 620 An Introduction to Perl p. 625 Reading Input p. 625 Matching Text p. 628 Regular Expressions p. 629 Formatting Output p. 632 Processing Live IR Data Collected p. 634 The Date Problem with Microsoft Excel p. 635 Index p. 637 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.

Index. A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, , 362, 364. of recovered uncompressed aio binary,

Index. A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, , 362, 364. of recovered uncompressed aio binary, Jones_index.qxd 8/29/2005 11:04 AM Page 637 Index A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, 358-360, 362, 364 of recovered uncompressed aio binary, 397-402, 408 overview,