Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard
|
|
- Mark Bishop
- 5 years ago
- Views:
Transcription
1 Outline Digital Forensics Jason Trent Laura Woodard What is Digital Forensics Who uses it Why is it used Where is it used JBRWWW Example March 9, 2006 Outline cont. Info you can find/use from volatile data: The System Date and Time Current Network Connections Open TCP and UDP ports Which Executables are opening TCP or UDP Ports Cached NetBIOS name Table s Currently Logged On The internal routing table Running Processes Running Services Scheduled Jobs Open files Process Memory Dumps What is Digital Forensics? The use of specialized techniques for recovery, authentication, and analysis of electronic data. Used for reconstruction of computer usage, examination of residual data, and authentication of data by technical analysis or explanation of technical features of data and computer usage. 1
2 Who Uses It? Why is it Used? FBI Private companies It s services are used by many corporations. To view the amount of damage caused by an intruder. To find evidence of terrorism, child pornography, crimes of violence, theft or destruction of intellectual property, crimes, and fraud. Computer Crime The use of computers in crime falls into two general categories: They can be the instrument of an offence. Tool to commit theft, extortion, fraud, attacking other systems The can contain evidence pertaining to an offence. Communication with victims or accomplices, hiding evidence. Types of Evidence Trace evidence Carried from scene of crime or left behind Latent evidence You cannot see or otherwise sense latent evidence Special tools and procedures must be used to find it It is fragile and subject to contamination Electronic evidence falls in this category 2
3 Electronic Evidence Improper handling or examination may result in Alteration Damage Destruction Hence, rendering it useless in court or leading to erroneous conclusions. Certification of Evidence Proof that the evidence has not been contaminated Chain of evidence must be preserved Forensic Analysis Process Acquisition Obtain forensic copies of the target media Analysis Active file system, deleted files, slack space, unallocated space Reporting Archiving Where is it Used Used on location. Since dynamic memory information is very useful. Many places can t afford to shut down a server. Used in Labs. The info is used in court. 3
4 Do you always pull the plug when responding to an incident? NO! Victim can t afford to remove the system from the network. The data currently in memory may be the only evidence of the incident. JBRWWW Example Is a large, well-respected financial institution. Has a Web site to check account activity, pay bills electronically, and execute other financial tasks. Has machines it uses when investigating bugs in its online software and that are not protected by a firewall. On October 1st, 2003, an odd file is found on one of the customer desktop simulation systems. Notices an update.exe file located in C:\ on the Windows 2000 workstation (at IP address ) that was zero bytes long. This file was not placed on the machine during the normal business practice. 4
5 Who How Info from the volatile Data The System Date and Time Issue the time and date commands in the prompt. Possibly the why Current Network Connections Open TCP or UDP Ports Execute netstat an NetBios Port IRC NetBios FTP Port Nattyserver or ChilliASP Response machine An open rogue port usually denotes a backdoor running on the victim machine. Interested in ports above 1024 since they are short lived. 5
6 Which Executables are opening TCP or UDP Ports FPort, freely distributed at ww.foundstone.com To execute it all we need to do is execute FPort: Iroffer is a legitimate tool, it connects to IRC channels and offers remote control of JBRWWW. These two lines provide confirmation that there was an incident involving JBRWWW. We can also tell that they have a netcat session. Cached NetBIOS Name Table We see that Windows (up until version 2003) stored connection specifics by NetBIOS name rather than IP address. Issue nbstat command to dump the victim system s NetBIOS name cache since we want to map a NetBIOS name to an IP address. Note: this command will only show us the NetBIOS name table cache, not a complete history of connections. Cached NetBIOS Name Table cont. nbstat c we receive s Currently Logged On PsLoggedOn, distributed within the PsTools suite from When we execute it we get: There is one user logged in locally. The second login is also Administrator, but it is a remote login. For a user to be connected remotely, he or she must be connected to a NetBIOS port. For Windows 2000, it is TCP port 445 or 139. Therefore we now know the attacker s IP is
7 Internal Routing Table Altering the routing tables to redirect traffic in some manner. A benefit for the attacker of rerouting traffic is avoiding a security device, such as a firewall. Another reason an attacker may alter the route table is to redirect the flow of traffic to sniff (capture) the data flying by on the network connection. Internal Routing Table cont. We can examine the routing table by issuing the netstat command: Looks normal. Running Processes We would like to know what processes the attacker executed because they could contain backdoors or further the attacker s efforts into the victim s network. We can list the process table with the pslist tool from the PsTools suite distributed from Running Processes cont. Executing pslist gives us: 7
8 Running Services There was a process running with the name PSEXESVC. We can see a list of services with the PsService executable. Running Services cont. We can see that PSEXESVC service is running, we find information linking PSEXESVC to the PsExec tool. Note: that even if the PsExec tool were renamed, we would still see this service in the service listing. Services can hide programs in them. In addition, services can be forced to start up at reboot. Scheduled Jobs Allows an attacker to run commands when he is not even on the box. For an example, an attacker may want to schedule a job that will open a backdoor every night at 2AM. That way, your usual security port scans will not pick up the backdoor during work hours. By typing at, you can see the jobs that are scheduled. Open Files PsTools suite contains another tool we can use to retrieve open file information called Psfile. When we run it on JBRWWW, we see the following: 8
9 Open Files cont. Psfile reports a system pipe opened by PSEXESVC. We now see the word CAINE which is the name of the computer that connected to JBRWWW using PsExec. Process Memory Dumps To help us see what the attacker ran, we will capture the memory space of the suspect processes. The increasing sophistication of intrusion tools and techniques, the acquisition and processing of application and system memory may be of paramount importance. They may provide critical investigative evidentiary material of a volatile nature. Data that may be lost include: The command line used by the intruder to execute a process Remotely executed console commands and their output Clear text passwords Unencrypted data. Process Memory Dumps cont. Microsoft provides a utility called userdump.exe for the Windows NT family of operating systems that enables us to capture the memory space utilized by any executing process. This tool is a component of the Microsoft OEM Support tools package available at 000srv/Utility/3.0/NT45/EN-US/Oem3sr2.zip To execute userdump on a single suspect process, we simply supply it with a process ID that was gotten earlier using pslist (PID 1424) Process Memory Dumps cont. Then to examine the memory dump we run dumpchk.exe, a utility provided as a component of the Debugging Tools for Windows, which are available at uging/default.mspx. For brevity, won t show the output. 9
10 Process Memory Dumps cont. The output confirms the file name and location and provides a list of associated dynamic link library files along with timestamps and the command line utilized to initiate the netcat process. netcat was configured to detach from the console, listen on port 60,906, and execute a command shell whenever a connection occurred. Subsequent examination with dumpchk reveals that PID 1224 was initiated with a command line of iroffer myconfig, and PID 1,372 with ftp Process Memory Dumps cont. Because data stored by an application or process in memory may be in Unicode format, we need to use a Unicode-capable Windows version of the strings command. One is available at Running strings on the memory dump, you ll see the application environment, which provides, the computer name, the system path, the location on the file system of the executed application and the command line used. Process Memory Dumps cont. Nothing here is earth shattering, but, it does provide information that supports the analysis. Scenario Electric Power 4U Electric Power 4U is a mid-size electric power provider. They utilize a typical network-centric system to record billing information and provide that information to customers. 10
11 Vendor Vendor Ethernet LAN Vendor Home Attack Detected Dial-In Intranet Wireless Site LAN Modem Bank and Client/ Control Ethernet LAN Wireless Hub I/O Network Router Network Manufacturing 9:10 Automated analysis tools confirm suspicion that an attacker has invaded an EP4U at 9:00 9:30 All risks have successfully been mitigated, but how was the system compromised? I/O I/O I/O I/O I/O SOURCE: Erickson [1] Vendor Vendor Ethernet LAN Vendor Website Home Dial-In Intranet Wireless Wireless Hub Site LAN Modem Bank and Client/ Control Ethernet LAN Router Network Manufacturing Control network is only connected to the corporate network and requires passing through a firewall. No other entry points exist. I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] 11
12 Vendor Vendor Ethernet LAN Vendor Website Home Dial-In Modem Bank and Network Intranet Wireless Wireless Hub Client/ Router Site LAN Control Ethernet LAN Manufacturing I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] Network Vendor Vendor Ethernet LAN Vendor Website Home The firewall is configured to only allow the billing server communicate with the control network. This is done so that the billing server can gather billing data in near real time. Dial-In Intranet Wireless Wireless Hub Modem Bank and Client/ Router Network Investigation shows that the billing server was compromised at 7:30 Possible entry vectors Wireless LAN Modem Bank Site LAN Control Ethernet LAN I/O Network Manufacturing I/O I/O I/O I/O I/O SOURCE: Erickson [1] 12
13 Billing Vendor Vendor Ethernet LAN Vendor Website Home Investigation shows that the billing server had no communication with the wireless LAN or modem bank How did the attacker get through the firewall? Dial-In Intranet Wireless Wireless Hub Site LAN Modem Bank and Client/ Control Ethernet LAN Router Network Manufacturing I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] Vendor Vendor Ethernet LAN Vendor Website Home The only traffic allowed through the firewall is the web server. The web server is actually in the demilitarized zone (DMZ). The web server passes through the firewall to retrieve billing information and allow customers access to their account status and the ability to pay their bill. Dial-In Intranet Wireless Site LAN Modem Bank and Client/ Control Ethernet LAN Wireless Hub I/O Network Router Network Manufacturing I/O I/O I/O I/O I/O SOURCE: Erickson [1] 13
14 Web Vendor Vendor Ethernet LAN Vendor Website Home Analysis of the web server shows that it was compromised at 6:15. We have an IP address of the attacker, but will we be able to link it to them? Dial-In Intranet Wireless Wireless Hub Site LAN Modem Bank and Client/ Control Ethernet LAN Router Network Manufacturing I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] 6:15 Web Attacked Timeline 7:30 Billing Attacked 9:00 Attacked 9:30 Risk Mitigated 9:10 Compromise Confirmed Conclusion Unless absolutely necessary, don t pull the plug on a suspect or victim machine. There is a wealth of information that can be obtained from the volatile data that would be lost if you do. 14
15 If interested in Digital Forensics Cyberspeak cyberspeak.com Checkmake E-zine niiconsulting.com/ch eckmate/ Suggested Reading Computer Forensics and Privacy, Michael A. Caloyannides, Artech House, Handbook of Computer Crime Investigation: Forensic Tolls and Technology, ed. By Eoghan Casey, Academic Press, Suggested Reading Forensic Computer Analysis: An Introduction by Wietse Venema and Dan Farmer n.html Suggested Readings A Brief History of Computer Forensics, Mark Pollitt, Chairman, SWG-DE ryofcf.pdf 15
16 References 1. Programmable Logic Controllers: An Emphasis on Design and, Kelvin T. Erickson, Dogwood Valley Press,
Chapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More informationComputer Forensics US-CERT
Computer Forensics US-CERT Overview This paper will discuss the need for computer forensics to be practiced in an effective and legal way, outline basic technical issues, and point to references for further
More informationGuide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Chapter 11 Network Forensics Objectives Describe the importance of network forensics Explain standard procedures for performing a
More informationProduct Questions: 486 Version: 12.0
Vendor: Eccouncil Exam Code: 312-49 Exam Name: Computer Hacking Forensic Investigator Exam v9 Version: DEMO Question: 1 Product Questions: 486 Version: 12.0 This organization maintains a database of hash
More informationHoneypots. Security on Offense. by Kareem Sumner
Honeypots Security on Offense by Kareem Sumner Agenda Introduction What Are Honeypots? Objectives Successful Deployment Advantages And Disadvantages Types Of Honeypots Honeypot Software Future of Honeypots/Honeynets
More informationCertified Cyber Security Analyst VS-1160
VS-1160 Certified Cyber Security Analyst Certification Code VS-1160 Vskills certification for Cyber Security Analyst assesses the candidate as per the company s need for cyber security and forensics. The
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationNew Model for Cyber Crime Investigation Procedure
New Model for Cyber Crime Investigation Procedure * *Dept. of IT & Cyber Police, Youngdong University, Rep. of Korea ydshin@youngdong.ac.kr doi:10.4156/jnit.vol2.issue2.1 Abstract In this paper, we presented
More informationKillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ
KillTest Exam : 312-49v8 Title : ECCouncil Computer Hacking Forensic Investigator (V8) Version : Demo 1 / 6 1.What is the First Step required in preparing a computer for forensics investigation? A. Do
More informationIncident Response Toolkit :
Incident Response Toolkit : Initial Incident Response Handling Sunday, August 24, 2003 Balwant Rathore, CISSP Founder, Open Information System Security Group 1 Index Keep the Toolkit CD Handy Sample Toolkit
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationCSC Network Security
CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet
More informationEXAM - CFA-001. Certified Forensic Analyst (CFA) Buy Full Product.
GAQM EXAM - CFA-001 Certified Forensic Analyst (CFA) Buy Full Product http://www.examskey.com/cfa-001.html Examskey GAQM CFA-001 exam demo product is here for you to test the quality of the product. This
More informationSPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN
Digital Forensics CH. RAMESH BABU, Asst.Proffessor, Dept. Of MCA, K.B.N.College, Vijayawada Abstract: The need for computer intrusion forensics arises from the alarming increase in the number of computer
More informationExam Questions EC1-349
Exam Questions EC1-349 ECCouncil Computer Hacking Forensic Investigator https://www.2passeasy.com/dumps/ec1-349/ 1.What is the First Step required in preparing a computer for forensics investigation? A.
More informationWL5041 Router User Manual
TECOM WL5041 Router User Manual TECOM CO., LTD. March 2003 2003 by TECOM CO., LTD. All rights reserved. Printed in Taiwan Table of contents Package Contents--------------------------------------- 2 Installing
More informationAfter the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning
After the Attack Business Continuity Week 6 Part 2 Staying in Business Disaster Recovery Planning and Testing Steps Business continuity is a organization s ability to maintain operations after a disruptive
More informationECCouncil Computer Hacking Forensic Investigator (V8)
ECCouncil 312-49v8 ECCouncil Computer Hacking Forensic Investigator (V8) Version: 9.0 QUESTION NO: 1 ECCouncil 312-49v8 Exam What is the First Step required in preparing a computer for forensics investigation?
More informationHow to open ports in the DSL router firmware version 2.xx and above
How to open ports in the DSL router firmware version 2.xx and above This example shows how to open port 3389 (which is used by Remote Desktop service) in the DSL router running firmware version 2.xx or
More informationNetwork Security and Cryptography. 2 September Marking Scheme
Network Security and Cryptography 2 September 2015 Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers to the questions,
More informationVolatile Data Acquisition & Analysis
Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical
More informationPass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores
Pass4suresVCE http://www.pass4suresvce.com Pass4sures exam vce dumps for guaranteed success with high scores Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version :
More informationOnce all of the features of Intel Active Management Technology (Intel
Chapter11 Connecting and Communicating with Intel Active Management Technology Disconnecting from change does not recapture the past. It loses the future. Kathleen Norris, O Magazine, January 2004 Once
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationSecuring Access to Network Devices
Securing Access to Network s Data Track Technology October, 2003 A corporate information security strategy will not be effective unless IT administrative services are protected through processes that safeguard
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationChapter 5 Advanced Configuration
Chapter 5 Advanced Configuration This chapter describes how to configure the advanced features of your DG834N RangeMax TM NEXT Wireless ADSL2+ Modem Router. Configuring Advanced Security The modem router
More informationData Server for PC5200 as Remote Terminal V1.00 9/22/05
Data Server for PC5200 as Remote Terminal V1.00 9/22/05 Mirador Software, Inc. 1040 West End Blvd. Winston-Salem, NC 27101 Telephone: 770-850-9100 / FAX: 770-881-7958 Website: http://www.pc8800.com Copyright
More informationCyberP3i Course Module Series
CyberP3i Course Module Series Spring 2017 Designer: Dr. Lixin Wang, Associate Professor Firewall Configuration Firewall Configuration Learning Objectives 1. Be familiar with firewalls and types of firewalls
More informationA+ Guide to Managing & Maintaining Your PC, 8th Edition. Chapter 17 Windows Resources on a Network
Chapter 17 Windows Resources on a Network Objectives Learn how to support some client/server applications Learn how to share and secure files and folders on the network Learn how to troubleshoot network
More informationUIP1869V User Interface Guide
UIP1869V User Interface Guide (Firmware version 0.1.8 and later) Table of Contents Opening the UIP1869V's Configuration Utility... 3 Connecting to Your Broadband Modem... 5 Setting up with DHCP... 5 Updating
More informationECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]
s@lm@n ECCouncil Exam 312-50v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ] Question No : 1 An Intrusion Detection System(IDS) has alerted the network administrator to a possibly
More information4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare
4.. Filtering Filtering helps limiting traffic to useful services It can be done based on multiple criteria or IP address Protocols (, UDP, ICMP, ) and s Flags and options (syn, ack, ICMP message type,
More informationIS Today: Managing in a Digital World 9/17/12
IS Today: Managing in a Digital World Chapter 10 Securing Information Systems Worldwide losses due to software piracy in 2005 exceeded $34 billion. Business Software Alliance, 2006 Accessories for war
More informationISC2 EXAM - SSCP. Systems Security Certified Practitioner. Buy Full Product.
ISC2 EXAM - SSCP Systems Security Certified Practitioner Buy Full Product http://www.examskey.com/sscp.html Examskey ISC2 SSCP exam demo product is here for you to test the quality of the product. This
More informationQuestion: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.
1 ISC - SSCP System Security Certified Practitioner (SSCP) Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break. Question: 2 What is the main difference between computer
More informationRefer to Service Bulletin: Security Advisory No for additional information.
No. 20130326-0074 / Revised 05-23-2014 Related Products Allworx server 6x Allworx server 6x12 Allworx server 24x Allworx server 48x Related Software Allworx server software 7.6.x and earlier Overview One
More informationSoftware System For Automatic Reaction To Network Anomalies And In Real Time Data Capturing Necessary For Investigation Of Digital Forensics
Software System For Automatic Reaction To Network Anomalies And In Real Time Data Capturing Necessary For Investigation Of Digital Forensics Mladen Vukašinović Faculty of Information Technology Mediterranean
More informationA Software System for automatic reaction to network anomalies and in Real Time Data Capturing necessary for investigation of digital Forensics
A Software System for automatic reaction to network anomalies and in Real Time Data Capturing necessary for investigation of digital Forensics Mladen Vukašinović Abstract Digital forensics has a technical
More informationTestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified
TestOut Network Pro - English 4.1.x COURSE OUTLINE Modified 2017-07-06 TestOut Network Pro Outline - English 4.1.x Videos: 141 (18:42:14) Demonstrations: 81 (10:38:59) Simulations: 92 Fact Sheets: 145
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 642-541 Title : VPN and Security Cisco SAFE Implementation Exam (CSI) Vendors : Cisco
More informationCourse Outline. Networking Essentials, Fifth Edition Pearson ucertify Labs.
Course Outline Networking Essentials, Fifth Edition Pearson ucertify 22 Apr 2019 Contents 1. Course Objective 2. Expert Instructor-Led Training 3. ADA Compliant & JAWS Compatible Platform 4. State of the
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More informationBachelor of Information Technology (Network Security)
Course information for Bachelor of Information Technology (Network Security) Course Number HE20524 Location Meadowbank Course Design The Bachelor of Information Technology (Network Security) is a three-year
More informationGCIA. GIAC Certified Intrusion Analyst.
GIAC GCIA GIAC Certified Intrusion Analyst TYPE: DEMO http://www.examskey.com/gcia.html Examskey GIAC GCIA exam demo product is here for you to test the quality of the product. This GIAC GCIA demo also
More informationHikCentral V.1.1.x for Windows Hardening Guide
HikCentral V.1.1.x for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1 Strict Password Policy... 2 1.2 Turn Off Windows Remote
More informationECCouncil Certified Ethical Hacker. Download Full Version :
ECCouncil 312-50 Certified Ethical Hacker Download Full Version : http://killexams.com/pass4sure/exam-detail/312-50 A. Cookie Poisoning B. Session Hijacking C. Cross Site Scripting* D. Web server hacking
More informationMan in the middle. Bởi: Hung Tran
Man in the middle Bởi: Hung Tran INTRODUCTION In today society people rely a lot on the Internet for studying, doing research and doing business. Internet becomes an integral part of modern life and many
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationChapter 2. Switch Concepts and Configuration. Part II
Chapter 2 Switch Concepts and Configuration Part II CCNA3-1 Chapter 2-2 Switch Concepts and Configuration Configuring Switch Security MAC Address Flooding Passwords Spoofing Attacks Console Security Tools
More informationDigital Forensics Lecture 7. Network Analysis
Digital Forensics Lecture 7 Network Analysis This Week s Presentations Johnathan Ammons: Web Analysis Kelcey Tietjen: Wireless Network Traffic David Burton: Collection and Analysis of Network Traffic David
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationForensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH
Forensics for Cybersecurity Pete Dedes, CCE, GCFA, GCIH WHO AM I? Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security Education Bachelor s of Science Computer Science, University of Tennessee
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationRussian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall
Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall 1 U.S. and U.K. authorities last week alerted the public to an on-going effort to exploit network infrastructure devices including
More informationIncident Handling. Week 4: Incidents, Evidence and the Law
Incident Handling Week 4: Incidents, Evidence and the Law George Berg & Jagdish S. Gangolly University at Albany 4/27/04 Incident Handling (G. Berg & J. Gangolly) 1 Road Map What is digital evidence? What
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationCIT 380: Securing Computer Systems. Network Security Concepts
CIT 380: Securing Computer Systems Network Security Concepts Topics 1. Protocols and Layers 2. Layer 2 Network Concepts 3. MAC Spoofing 4. ARP 5. ARP Spoofing 6. Network Sniffing Protocols A protocol defines
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationand the Forensic Science CC Spring 2007 Prof. Nehru
and the Introduction The Internet, (Information superhighway), has opened a medium for people to communicate and to access millions of pieces of information from computers located anywhere on the globe.
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationHow technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011
How technology changed fraud investigations Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011 The Changing Cyberfraud Landscape Underground Economy Malware Authors Organized
More informationSAULT COLLEGE OF APPLIED ARTS AND TECHNOLOGY SAULT STE. MARIE, ONTARIO COURSE OUTLINE
SAULT COLLEGE OF APPLIED ARTS AND TECHNOLOGY SAULT STE. MARIE, ONTARIO COURSE OUTLINE COURSE TITLE: CODE NO. : SEMESTER: Fall 2011 PROGRAM: AUTHOR: Computer Engineering Technologist - Networking Dan Kachur
More informationECCouncil v9. ECCouncil Computer Hacking Forensic Investigator (V9)
ECCouncil 312-49v9 ECCouncil Computer Hacking Forensic Investigator (V9) https://killexams.com/pass4sure/exam-detail/312-49v9 QUESTION: 227 What is the target host IP in the following command? C:\> firewalk
More informationRX3041. User's Manual
RX3041 User's Manual Table of Contents 1 Introduction... 2 1.1 Features and Benefits... 3 1.2 Package Contents... 3 1.3 Finding Your Way Around... 4 1.4 System Requirements... 6 1.5 Installation Instruction...
More informationIncident Handling. Road Map. Week 4: Incidents, Evidence and the Law. Types of Evidence. Digital Evidence. Characteristics of Evidence
Incident Handling Week 4: Incidents, Evidence and the Law George Berg & Jagdish S. Gangolly State University of New York at Albany Road Map What is digital evidence? What are different types of evidence?
More informationEthical Hacking. Content Outline: Session 1
Ethical Hacking Content Outline: Session 1 Ethics & Hacking Hacking history : How it all begin - Why is security needed? - What is ethical hacking? - Ethical Hacker Vs Malicious hacker - Types of Hackers
More informationWireless-G Router User s Guide
Wireless-G Router User s Guide 1 Table of Contents Chapter 1: Introduction Installing Your Router System Requirements Installation Instructions Chapter 2: Preparing Your Network Preparing Your Network
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : ECSS Title : EC-Council Certified Security Specialist Practice Test Vendors
More informationC A S E S T U D Y D E C E M B E R P R E P A R E D B Y : Iftah Bratspiess
FINANCIAL INSTITUTES PENETRATION INTO A BANK NETWORK USING TRANSPARENT NETWORK DEVICES C A S E S T U D Y P R E P A R E D B Y : Iftah Bratspiess 2018 Sepio Systems www.sepio.systems US: 11810 Grand Park
More informationDIS10.3:CYBER FORENSICS AND INVESTIGATION
DIS10.3:CYBER FORENSICS AND INVESTIGATION ABOUT DIS Why choose Us. Data and internet security council is the worlds top most information security certification body. Our uniquely designed course for information
More informationAdvanced Security Measures for Clients and Servers
Advanced Security Measures for Clients and Servers Wayne Harris MCSE Senior Consultant Certified Security Solutions Importance of Active Directory Security Active Directory creates a more secure network
More informationDIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING
17.09.24 DIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING FORENSICS FRAMEWORK FOR CLOUD COMPUTING OUTLINE Abstract Introduction Challenges in cloud forensics Proposed solution Conclusion Opinion
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Fundamentals of Linux Platform Security Module 11 Introduction to Forensics Overview
More informationPayment Card Industry Data Security Standard (PCI DSS) Incident Response Plan
1. Introduction This defines what constitutes a security incident specific to Yonder s Cardholder Data Environment (CDE) and outlines the incident response phases. For the purpose of this Plan, an incident
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More informationTestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified
TestOut Network Pro - English 5.0.x COURSE OUTLINE Modified 2018-03-06 TestOut Network Pro Outline - English 5.0.x Videos: 130 (17:10:31) Demonstrations: 78 (8:46:15) Simulations: 88 Fact Sheets: 136 Exams:
More informationWireless LAN Security (RM12/2002)
Information Technology in Education Project Reference Materials Wireless LAN Security (RM12/2002) Infrastructure Division Education Department The Government of HKSAR www.ited.ed.gov.hk December 2002 For
More informationCTS2134 Introduction to Networking. Module 08: Network Security
CTS2134 Introduction to Networking Module 08: Network Security Denial of Service (DoS) DoS (Denial of Service) attack impacts system availability by flooding the target system with traffic or by exploiting
More informationRESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS
RESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS Responding to the Most Common Windows NT/2000 Attacks: With the increase in the number of attacks against Windows-based Web servers, it is becoming
More informationComputer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice
Computer Forensic Capabilities Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice Agenda What is computer forensics? Where to find computer evidence Forensic
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationWireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.
Bill Buchanan, Reader, School of Computing. W.Buchanan (1) Lab setup W.Buchanan (2) W.Buchanan (3) Console Server Con Cisco Aironet 1200 192.168.1.100 Port 2001 Con Cisco Aironet 1200 192.168.1.100 Port
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationChapter 13: The IT Professional
Chapter 13: The IT Professional IT Essentials v6.0 ITE v6.0 1 Chapter 13 - Sections & Objectives 13.1 Communication Skills and the IT Professional Explain why good communication skills are a critical part
More informationUnique Phishing Attacks (2008 vs in thousands)
The process of attempting to acquire sensitive information, such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. In the 2 nd half
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More information10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?
Live Acquisition Objectives Understand what Live Acquisition is and when it is appropriate Understand the concept of Order of Volatility Understand live acquisition issues and limitations Be able to perform
More informationFeasibility study of scenario based self training material for incident response
24th Annual FIRST Conference Feasibility study of scenario based self training material for incident response June 21, 2012 Hitachi Incident Response Team Chief Technology and Coordination Designer Masato
More informationData Communication. Chapter # 5: Networking Threats. By: William Stalling
Data Communication Chapter # 5: By: Networking Threats William Stalling Risk of Network Intrusion Whether wired or wireless, computer networks are quickly becoming essential to everyday activities. Individuals
More information