MEMORY ANALYSIS: UNDERSTANDING MALWARES AND INCIDENTS THROUGH THE MEMORY
|
|
- Melanie Carpenter
- 5 years ago
- Views:
Transcription
1 MEMORY ANALYSIS: UNDERSTANDING MALWARES AND INCIDENTS THROUGH THE MEMORY National Congress of Criminalistics 2017 By Alexandre Borges 1
2 PROFILE AND TOC TOC: Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. Instructor at Oracle, (ISC)2 and EC-Council. Exinstructor at Symantec. Member of Digital Law and Compliance Committee (CDDC / SP) Member of the CHFI Advisory Board in EC-Council. Reviewer member of the The Journal of Digital Forensics, Security and Law Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response Author of Oracle Solaris Advanced Administration book Introduction Memory Acquisition Memory Analysis Example 1 Example 2 Thank you. 2
3 INTRODUCTION 3
4 INTRODUCTION While handling an infection case, we could perform the following approach: Interview and photos of the physical environment Memory acquisition Incident Response commands Disk image acquisition Network packets gathering Analysis Report 4
5 INTRODUCTION Malware Analysis: Basic Static Analysis Basic Dynamic Analysis Memory Analysis Advanced Static and Dynamic Analysis (IDA PRO / RADARE2 + DEBUGGING ring 3 and 0) 5
6 INTRODUCTION Unfortunately, there are several Anti-Forensic techniques that make our analysis more complicated, such as: Anti-VM Anti-Disassembling Packers Instruction Virtualization Anti-debugging Obfuscation 6
7 INTRODUCTION Nevertheless, while working on real incidents, the main question still is: Where is the malware? 7
8 INTRODUCTION Hidden and terminated processes Hidden services Hidden DLLs hidden sockets Kernel modules Internet history Registry keys existing only on the memory Passwords Shell history 8
9 INTRODUCTION flink 101 blink flink 102 blink flink 103 blink flink 101 blink flink 102 blink flink 103 blink
10 INTRODUCTION Listening sockets and established connections. inserted deleted 10
11 INTRODUCTION Why should we use memory forensic analysis? Most time, we don t know where the malware is. Most information that can be recovered from the memory is neither on disk nor network. On the memory, malwares have few protections. Modern malwares operate only on the memory (Duqu 2) 11
12 MEMORY ACQUISTION 12
13 MEMORY ACQUISITION There are interesting sources of information such as: RAM Hibernation Files Crash Dump (complete) Page Files 13
14 MEMORY ACQUISITION Page Files Do you know how to list all pages files from a Windows system? (remember: up to 16 pages files on Windows) Hibernation Files Compressed we need to uncompress it (raw memory no headers and CPU registers/state) Usually it is enabled Sometimes it is not zeroed out after a lapstop resuming. 14
15 MEMORY ACQUISITION Crash Dump It should be a complete memory dump (not kernel memory or small dump). Usually, it does not include device memory region. Usually, it does not include first physical page (MBR). it may be subverted by a malware that registered bug check callback (KeRegisterBugCheckCallback function) 15
16 MEMORY ACQUISITION Excellent tools for Memory Acquisition are: Surge Collect Pro from Volexity (mainly Win10 and Win2016) F-Response KnTDD from KnTTool package (unfortunately, George M. Garner Jr. passed away last July. He was 61.) 16
17 MEMORY ACQUISITION Memoryze FTK Imager Belkasoft Live RAM Capturer MoonSools LiME Linux Memory Extractor Hardware devices 17
18 MEMORY ACQUISITION Acquire memory and other important files by running the following command: E:\dumps> kntdd.exe -v -o win7mem.bin --log -- cryptsum sha_512 --pagefiles --force_pagefiles -- 4gplus --cert alexandre.borges.cer --comp gzip -- case alex001 18
19 MEMORY ACQUISITION Where: -v verbose mode. -o output file. --log sends the log output to a file. --cryptsum generates checksums for image using the specified algorithm. This case we used sha pagefiles acquires system pagefiles. 19
20 MEMORY ACQUISITION --force_pagefiles acquires all system pagefiles including that report zero current and peak usage. --4gplus acquires unmanaged memory above 4 GB. --comp compresses the output (possible values: zlib, gzip, bzip2, lznt1, zlib+, gzip+, lznt1+) --cert digital certificate --case case number 20
21 MEMORY ACQUISITION E:\Dumps\{40D335F2-A504-4A68-97AB-49A8F72F8DA5}\> dir 09/30/ :37 PM 934 win7mem.bin.dumpheader.gz.kpg 09/30/ :37 PM 1,112,025,286 win7mem.bin.gz.kpg 09/30/ :37 PM 7,734 win7mem.log.kpg 09/30/ :37 PM 1,021,030 win7mem.user_system_state.xml.kpg 09/30/ :37 PM 7,558 win7mem.xml.kpg 09/30/ :37 PM <DIR> WINDOWS 21
22 MEMORY ACQUISITION The KnTDD has acquired physical memory dump, page files, log, user system state and hashes. Few critical OS files such as ntoskrnl.exe, ndis.sys, tcpip.sys, etc, are also usually collected. On the forensic workstation, decrypt the files by using the following command: C:\> kntencrypt.exe -v -d --cert alexandre.borges.cer E:\Dumps\{40D335F2-A504-4A68-97AB- 49A8F72F8DA5}\*" 22
23 MEMORY ACQUISITION Uncompress the evidence files by running the following command: C:\> dd.exe -v if= E:\Dumps\{40D335F2-A504-4A68-97AB- 49A8F72F8DA5}\*" of=decompressed\ --decomp gzip -- sparse localwrt Where: if files to be decompressed of directory to save decompressed files --decomp algorithm used to decompress files --sparse files are recompressed using NTFS file compression --localwrt enables writing output to a local fixed drive. 23
24 MEMORY ACQUISITION Using RamCapture by Belkasoft: C:\RamCapturer> dir 09/29/ :29 AM 148,192 RamCapture64.exe 09/29/ :29 AM 13,344 RamCaptureDriver64.sys
25 MEMORY ACQUISITION ALEXANDRE BORGES IT IS NOT ALLOWED TO COPY OR REPRODUCE THIS S LIDE.
26 MEMORY ANALYSYS 26
27 MEMORY ANALYSIS Developed by Michael Ligh, Jamie Levy, Andrew Case and Aaron Walters. Windows, Linux, Mac (32 bits and 64 bits) Four methods to install it: standalone python source code git clone
28 EXAMPLE 1 28
29 MEMORY ANALYSIS EXAMPLE 1 29
30 MEMORY ANALYSIS EXAMPLE 1 30
31 MEMORY ANALYSIS EXAMPLE 1 31
32 MEMORY ANALYSIS EXAMPLE 1 32
33 MEMORY ANALYSIS EXAMPLE 1 root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/vms/malware1.vmem apihooks 33
34 MEMORY ANALYSIS EXAMPLE 1 When a driver has finished all processing for a given IRP, it calls IoCompleteRequest. The I/O manager checks the IRP to determine whether any higher-level drivers have set up an IoCompletion routine for the IRP. If so, each IoCompletion routine is called, in turn, until every layered driver in the chain has completed the IRP. VOID IoCompleteRequest( _In_ PIRP Irp, _In_ CCHAR PriorityBoost ); 34
35 MEMORY ANALYSIS EXAMPLE 1 35
36 MEMORY ANALYSIS EXAMPLE 1 36
37 MEMORY ANALYSIS EXAMPLE 1 37
38 MEMORY ANALYSIS EXAMPLE 1 root@kali:/tmp# strings -el driver.8643b000.sys \Driver svchost.exe \DosDevices\%s \Device\%s {9DD6AFA B-EDCB A} RulesData 38
39 MEMORY ANALYSIS EXAMPLE 1 39
40 MEMORY ANALYSIS EXAMPLE 1 40
41 MEMORY ANALYSIS EXAMPLE 1 41
42 MEMORY ANALYSIS EXAMPLE 1 42
43 MEMORY ANALYSIS EXAMPLE 1 43
44 MEMORY ANALYSIS EXAMPLE 1 root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/vms/malware1.vmem rootkitscanner 44
45 MEMORY ANALYSIS EXAMPLE 1 root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/vms/malware1.vmem svcscan -v grep -B5 -A4 -i hqyigk Offset: 0x38bb98 Order: 280 Start: SERVICE_AUTO_START Process ID: - Service Name: hqyigk Display Name: hqyigk Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: - ServiceDll: 45
46 MEMORY ANALYSIS EXAMPLE 1 46
47 MEMORY ANALYSIS EXAMPLE 1 We have gotten the driver module for a possible analysis using IDA PRO... 47
48 MEMORY ANALYSIS EXAMPLE 1 Callbacks are a kind of modern hooks because they tell us the kernel module that will be called when an specified event occurs. Additionally, they are safe for multicore systems. For example, PsSetCreateThreadNotifyRoutine indicates a routine that is called every time when a thread starts or ends. 48
49 MEMORY ANALYSIS EXAMPLE 1 49
50 MEMORY ANALYSIS EXAMPLE 1 50
51 MEMORY ANALYSIS EXAMPLE 1 51
52 MEMORY ANALYSIS EXAMPLE 1 root@kali:/tmp/vaddump# ls grep f80000 svchost.exe.661e6e8.0x00f x00f88fff.dmp root@kali:/tmp/vaddump# strings -a svchost.exe.661e6e8.0x00f x00f88fff.dmp > /tmp/strings.txt root@kali:/tmp/vaddump# strings -el svchost.exe.661e6e8.0x00f x00f88fff.dmp >> /tmp/strings.txt 52
53 MEMORY ANALYSIS EXAMPLE 1 root@kali:/tmp# cat strings.txt cmd.exe /C \drivers\ main.dll.bdata POST Content-Type: application/x-www-form-urlencoded rexec lexec http xwinxp_380eed8c C:\WINDOWS\system32\drivers\str.sys 53
54 MEMORY ANALYSIS EXAMPLE 1 54
55 MEMORY ANALYSIS EXAMPLE 1 55
56 MEMORY ANALYSIS EXAMPLE 1 INT 2E SYSENTER SSDT (System Service Descriptor Table) picture User Mode KiSystemService() Native SSDT Service Table Native Functions Table Function 1 Kernel Mode SSDT #1 (ntoskrnl.exe) SSDT #2 (win32k.sys) SSDT #3 (not used) Counter Table Service Limit Arguments Table GUI SSDT Service Table Function 2 Function... Function n GUI Functions Table Function 1 ntoskrnl.exe SSDT #4 (not used) Counter Table Service Limit Function 2 Function... win32k.sys Arguments Table Function n 56
57 MEMORY ANALYSIS EXAMPLE 1 57
58 MEMORY ANALYSIS EXAMPLE 1 We should remember that since Windows 8.1 x64 there is not _ETHREAD.Tcb.ServiceTable member anymore (as there was in Windows XP 32-bits). Therefore, to enumerate the SSDT, it s necessary to disassembly the nt!keaddsystemservicetable function and extract the RVAs (relative virtual addresses) for KeServiceDescriptorTable and KeServiceDescriptorTableShadow symbols. 58
59 MEMORY ANALYSIS EXAMPLE 1 RVA for KeServiceDescriptorTable RVA for KeServiceDescriptorTableShadow 59
60 EXAMPLE 2 60
61 MEMORY ANALYSIS EXAMPLE 2 ALEXANDRE BORGES IT IS NOT ALLOWED TO COPY OR REPRODUCE THIS S LIDE. 61
62 MEMORY ANALYSIS EXAMPLE 2 62
63 MEMORY ANALYSIS EXAMPLE 2 63
64 MEMORY ANALYSIS EXAMPLE 2 64
65 MEMORY ANALYSIS EXAMPLE 2 65
66 MEMORY ANALYSIS EXAMPLE 2 66
67 MEMORY ANALYSIS EXAMPLE 2 67
68 MEMORY ANALYSIS EXAMPLE 2 68
69 MEMORY ANALYSIS EXAMPLE 2 69
70 MEMORY ANALYSIS EXAMPLE 2 70
71 MEMORY ANALYSIS EXAMPLE 2 71
72 MEMORY ANALYSIS EXAMPLE 2 72
73 MEMORY ANALYSIS EXAMPLE 2 73
74 MEMORY ANALYSIS EXAMPLE 2 74
75 MEMORY ANALYSIS EXAMPLE 2 75
76 MEMORY ANALYSIS EXAMPLE 2 76
77 MEMORY ANALYSIS EXAMPLE 2 77
78 MEMORY ANALYSIS EXAMPLE 2 78
79 MEMORY ANALYSIS EXAMPLE 2 79
80 MEMORY ANALYSIS EXAMPLE 2 80
81 MEMORY ANALYSIS EXAMPLE 2 81
82 MEMORY ANALYSIS EXAMPLE 2 82
83 MEMORY ANALYSIS EXAMPLE 2 83
84 MEMORY ANALYSIS EXAMPLE 2 84
85 MEMORY ANALYSIS EXAMPLE 2 85
86 MEMORY ANALYSIS EXAMPLE 2 86
87 MEMORY ANALYSIS EXAMPLE 2 87
88 MEMORY ANALYSIS EXAMPLE 2 88
89 MEMORY ANALYSIS EXAMPLE 2 89
90 MEMORY ANALYSIS EXAMPLE 2 90
91 MEMORY ANALYSIS EXAMPLE 2 91
92 MEMORY ANALYSIS EXAMPLE 2 92
93 MEMORY ANALYSIS EXAMPLE 2 93
94 MEMORY ANALYSIS EXAMPLE 2 94
95 REMEMBER We are always in CONTROL... 95
96 ALMOST FINISHING... 96
97 THANK YOU FOR ATTENDING MY LECTURE! LinkedIn: Site: Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. Instructor at Oracle, (ISC)2 and EC-Council. Exinstructor at Symantec. Member of the CHFI Advisory Board in EC-Council. Reviewer member of the The Journal of Digital Forensics, Security and Law Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response Author of Oracle Solaris Advanced Administration book 97
Windows Memory Analysis. Jesse Kornblum
C Y B E R S E C T O R Windows Memory Analysis Jesse Kornblum Why Memory Analysis Windows without Windows Gathering Information Parsing the Processes The Rootkit Paradox Address Translation Recovering Executables
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More information(Title) Student s Name. Academic Institution
Running head: DIGITAL FORENSICS (Title) Student s Name Academic Institution DIGITAL FORENSICS 2 Introduction Digital forensics is a branch of forensic science that deals with investigations and recovery
More informationMatthieu Suiche Founder, MoonSols SARL
Matthieu Suiche Founder, MoonSols SARL msuiche@moonsols.com Founder of MoonSols SARL, based in France Various security services, Forensics Products, Trainings, Kernel code consulting Co-Organizer of Hackito
More informationUsing Hashing to Improve Volatile Memory Forensic Analysis
Using Hashing to Improve Volatile Memory Forensic Analysis American Academy of Forensic Sciences Annual Meeting February 21, 2008 AAron Walters awalters@volatilesystems.com Blake Matheny, LLC Center for
More informationVolatile Data Acquisition & Analysis
Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 11, 2016 An overview to incident response Detection Analysis Containment Investigation
More informationReconstructing the Scene of the Crime
Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN Security Consultant / Researcher at MANDIANT Engineer / Researcher at MANDIANT Agenda ½ Demo Pop it like its hotttt Problem
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationProcess Dump Analyses
Process Dump Analyses 1 Process Dump Analyses Forensical acquisition and analyses of volatile data Tobias Klein tk@trapkit.de Version 1.0, 2006/07/22. Process Dump Analyses 2 1 Overview There is a general
More informationThe Art Of Memory Forensics: Detecting Malware And Threats In Windows, Linux, And Mac Memory By Andrew Case;Jamie Levy
The Art Of Memory Forensics: Detecting Malware And Threats In Windows, Linux, And Mac Memory By Andrew Case;Jamie Levy If you are searched for the ebook The Art of Memory Forensics: Detecting Malware and
More informationLive Response for Windows Systems
Live Response for Windows Systems Matt Churchill Douglas County Sheriff s Office NebraskaCERT Conference 2007 Agenda Who am I? What is live response? Why is it important? What info can we acquire? What
More informationChapter 2: Operating-System Structures
Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationLecture 3. Essential skills for bioinformatics: Unix/Linux
Lecture 3 Essential skills for bioinformatics: Unix/Linux RETRIEVING DATA Overview Whether downloading large sequencing datasets or accessing a web application hundreds of times to download specific files,
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationT : Malware Analysis and Antivirus Technologies Windows Operating System
T-110.6220: Malware Analysis and Antivirus Technologies Windows Operating System Antti Tikkanen, 17.2.2010 Protecting the irreplaceable f-secure.com Lecture Agenda 1. Applications on Windows 2. Processes
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationMEMORY FORENSICS VINH THE NGUYEN 1. Setting up the environment. Vinh The Nguyen. Computer Science, Texas Tech University
MEMORY FORENSICS VINH THE NGUYEN (vinh.nguyen@ttu.edu) 1 Setting up the environment Vinh The Nguyen Computer Science, Texas Tech University MEMORY FORENSICS VINH NGUYEN (VINH.NGUYEN@TTU.EDU) 2 Setting
More informationRemote Device Mounting Service
HOW TO USE REMOTE DEVICE MOUNTING SERVICES The Remote Data Mounting Services (RDMS) lets you acquire live evidence from active and remote network computers. You can gather many types of active information
More informationChapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationMacintosh Forensic Survival Course
Macintosh Forensic Survival Course Duration: 5 days/level Date: On demand Venue: On demand Language: English Seat availability: On demand (recommended no more than 12) Learning Objectives: Macintosh Forensic
More informationMemory Forensics. Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest
Memory Forensics Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest www.volgactf.ru Facebook LinkedIn Twitter Dmitry Vostokov Software Diagnostics Institute Forensics
More informationDigital Forensics. Also known as. General definition: Computer forensics or network forensics
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 3 Jan 29, 2014 Introduction ti to Digital Forensics Digital Forensics Also known as Computer forensics or network forensics General
More informationForeword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1
Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic... 11 Chapter 3: Network
More informationReverse Engineering Malware Binary Obfuscation and Protection
Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Binary Obfuscation and Protection What is covered in this
More informationCOMPUTER FORENSICS (CFRS)
Computer Forensics (CFRS) 1 COMPUTER FORENSICS (CFRS) 500 Level Courses CFRS 500: Introduction to Forensic Technology and Analysis. 3 credits. Presents an overview of technologies of interest to forensics
More informationCFRS : Kernel Forensics and Analysis
CFRS 775-001: Kernel Forensics and Analysis Computer Forensics Program (http://cfrs.gmu.edu) Department of Electrical and Computer Engineering (https://ece.gmu.edu/) Volgenau School of Engineering (http://volgenau.gmu.edu/)
More informationDistributed Systems Operation System Support
Hajussüsteemid MTAT.08.009 Distributed Systems Operation System Support slides are adopted from: lecture: Operating System(OS) support (years 2016, 2017) book: Distributed Systems: Concepts and Design,
More informationCreating a Virtual Machine
CurrentH1 411 APPENDIX C Creating a Virtual Machine This appendix shows how I created a virtual machine (VM) in which I then installed Windows Server 2003 R2 (and later WSS 3.0). Initially, Hour 2, Installing
More information2018 Cyber Mission Training Course Catalog
2018 Cyber Mission Training Catalog 7740 Milestone Parkway, Suite 150 Hanover, Maryland 21076 2018 copyrighted by the KeyW Corp. All rights reserved. KeyWCorp.com/cyber-mission-training TABLE OF CONTENTS
More informationBinary Markup Toolkit Quick Start Guide Release v November 2016
Binary Markup Toolkit Quick Start Guide Release v1.0.0.1 November 2016 Overview Binary Markup Toolkit (BMTK) is a suite of software tools for working with Binary Markup Language (BML). BMTK includes tools
More informationRed Leaves implant - overview
Ahmed Zaki David Cannings March 2017 Contents 1 Handling information 3 2 Introduction 3 3 Overview 3 3.1 Summary of files analysed.......................................... 3 3.2 Execution flow................................................
More informationIncident Response Toolkit :
Incident Response Toolkit : Initial Incident Response Handling Sunday, August 24, 2003 Balwant Rathore, CISSP Founder, Open Information System Security Group 1 Index Keep the Toolkit CD Handy Sample Toolkit
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationCOS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy
Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients
More informationAdvances in Linux process forensics with ECFS
Advances in Linux process forensics with ECFS Quick history Wanted to design a process snapshot format native to VMA Vudu http://www.bitlackeys.org/#vmavudu ECFS proved useful for other projects as well
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationChapter 2. Operating-System Structures
Chapter 2 Operating-System Structures 2.1 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System
More informationCS 326: Operating Systems. Process Execution. Lecture 5
CS 326: Operating Systems Process Execution Lecture 5 Today s Schedule Process Creation Threads Limited Direct Execution Basic Scheduling 2/5/18 CS 326: Operating Systems 2 Today s Schedule Process Creation
More informationMySQL Backup Best Practices and Case Study:.IE Continuous Restore Process
MySQL Backup Best Practices and Case Study:.IE Continuous Restore Process Marcelo Altmann Senior Support Engineer - Percona Mick Begley Technical Service Manager - IE Domain Registry Agenda Agenda Why
More informationStorage and File System
COS 318: Operating Systems Storage and File System Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics Storage hierarchy File
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationChapter 2: System Structures
Chapter 2: System Structures Chapter 2: System Structures 2.1 Operating-System Services 2.2 User and Operating-System Interface 2.3 System Calls 2.4 Types of System Calls 2.5 System Programs 2.6 Operating-System
More informationLinux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1
Linux Essentials Smith, Roderick W. ISBN-13: 9781118106792 Table of Contents Introduction xvii Chapter 1 Selecting an Operating System 1 What Is an OS? 1 What Is a Kernel? 1 What Else Identifies an OS?
More informationDefeating Forensic Analysis
Defeating Forensic Analysis CEIC 2006 Technical Lecture 1 Thursday, May 4 10:30 am to 11:30 am Presented by Vincent Liu and Patrick Stach Welcome Vincent Liu Managing Director, Stach & Liu Researcher,
More informationEssential Skills for Bioinformatics: Unix/Linux
Essential Skills for Bioinformatics: Unix/Linux WORKING WITH COMPRESSED DATA Overview Data compression, the process of condensing data so that it takes up less space (on disk drives, in memory, or across
More informationIntro to Memory Forensics with Volatility
Intro to Memory Forensics with Volatility Intro to Memory Forensics Welcome!! Let's make a great workshop! Chicolinux (a.k.a. Miguel Guirao) Intro to Memory Forensics Your computer will betray you! What
More information2 Installing the Software
INSTALLING 19 2 Installing the Software 2.1 Installation Remember the hour or two of slogging through software installation I promised (or warned) you about in the introduction? Well, it s here. Unless
More informationCOMP091 Operating Systems 1. File Systems
COMP091 Operating Systems 1 File Systems Media File systems organize the storage space on persistent media such as disk, tape, CD/DVD/BD, USB etc. Disk, USB drives, and virtual drives are referred to as
More informationForensic and Log Analysis GUI
Forensic and Log Analysis GUI David Collett I am not representing my Employer April 2005 1 Introduction motivations and goals For sysadmins Agenda log analysis basic investigations, data recovery For forensics
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationChapter 2: Operating-System Structures
Chapter 2: Operating-System Structures Silberschatz, Galvin and Gagne 2009 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System
More informationChapter 2: Operating-System Structures
Chapter 2: Operating-System Structures 2.1 Silberschatz, Galvin and Gagne 2009 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 4, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationTZWorks NTFS Copy Utility (ntfscopy) Users Guide
TZWorks NTFS Copy Utility (ntfscopy) Users Guide Abstract ntfscopy is a standalone, command-line tool that can copy any file on a NTFS volume. It can operate on a live NTFS volume, an image of an NTFS
More informationFundamentals of Network Intrusion Analysis. Malicious Code Analysis Lab 1 Introduction to Malware Analysis
Fundamentals of Network Intrusion Analysis Malicious Code Analysis Lab 1 Introduction to Malware Analysis 1 Lab Overview Lab 1 Introduction to Malware Analysis Goals and difficulties Portable Executable
More informationFrequently asked questions from the previous class survey
CS 370: OPERATING SYSTEMS [THREADS] Shrideep Pallickara Computer Science Colorado State University L7.1 Frequently asked questions from the previous class survey When a process is waiting, does it get
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationTracing Lustre. New approach to debugging. ORNL is managed by UT-Battelle for the US Department of Energy
Tracing Lustre New approach to debugging ORNL is managed by UT-Battelle for the US Department of Energy Current Lustre debugging tools Utility lctl handles profiling developed long before standard kernel
More informationChapter 4: Threads. Overview Multithreading Models Thread Libraries Threading Issues Operating System Examples Windows XP Threads Linux Threads
Chapter 4: Threads Overview Multithreading Models Thread Libraries Threading Issues Operating System Examples Windows XP Threads Linux Threads Chapter 4: Threads Objectives To introduce the notion of a
More informationMalware Analysis and Antivirus Technologies: Windows Operating System
Malware Analysis and Antivirus Technologies: Windows Operating System Protecting the irreplaceable f-secure.com Lecture Agenda 1. Applications on Windows 2. Processes and Threads 3. Windows Architecture
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationReversing with Radare2.
Reversing with Radare2 pancake@overdrivecon2016 Who am I? pancake aka Sergi Alvarez i Capilla Twitter: @trufae @radareorg Web: http://rada.re Currently working as a Mobile Security Analyst at NowSecure,
More informationPractical Malware Analysis
Practical Malware Analysis Ch 7: Analyzing Malicious Windows Programs Rev. 2-27-17 The Windows API (Application Programming Interface) What is the API? Governs how programs interact with Microsoft libraries
More informationAcquisiting Text Documents Opened by Notepad from Windows7 RAM Image
Journal of Computational Information Systems 10: 16 (2014) 7117 7124 Available at http://www.jofcis.com Acquisiting Text Documents Opened by Notepad from Windows7 RAM Image Tao XIAO, Ming XU, Jian XU,
More informationLinux Memory Analysis with Volatility. Andrew Case Digital Forensics Solutions
Linux Memory Analysis with Volatility Andrew Case Digital Forensics Solutions Purpose of the Talk To highlight the Linux analysis capabilities integrated into the Volatility framework within the last year
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationChapter 2: Operating-System Structures. Operating System Concepts Essentials 8 th Edition
Chapter 2: Operating-System Structures Operating System Concepts Essentials 8 th Edition Silberschatz, Galvin and Gagne 2011 Chapter 2: Operating-System Structures Operating System Services User Operating
More informationT Hands-on 2. User-mode debuggers OllyDbg
T-110.6220 Hands-on 2 User-mode debuggers OllyDbg Disassemblers vs debuggers Static analysis / Disassemblers Theoretic approach Give us a static view of the binary Example: IDA Dynamic analysis / Debuggers
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationCOMPUTER HACKING Forensic Investigator
COMPUTER HACKING Forensic Investigator H.H. Sheik Sultan Tower (0) Floor Corniche Street Abu Dhabi U.A.E www.ictd.ae ictd@ictd.ae Course Introduction: CHFIv8 presents a detailed methodological approach
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationChapter 2: Operating-System
Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Operating System Services! User Operating System Interface! System Calls! Types of System Calls! System Programs! Operating
More informationTask 2: TCP Communication
UNIVERSITY OF TARTU, INSTITUTE OF COMPUTER SCIENCE Task 2: TCP Communication Hadachi&Lind October 12, 2017 Must Read: The task 2 should be done individually! You can submit your solution for task using
More informationFirmware Test Suite - Uses, Development, Contribution and GPL
presented by Firmware Test Suite - Uses, Development, Contribution and GPL Fall 2017 UEFI Plugfest October 30 November 3, 2017 Presented by Alex Hung (Canonical, Ltd) UEFI Plugfest October 2017 www.uefi.org
More informationBlue Team Handbook: Incident Response Edition
Blue Team Handbook: Incident Response Edition A condensed field guide for the Cyber Security Incident Responder. By: Don Murdoch, GSE, MBA, CISSP+14 Version 2.0 1. Blue Team Handbook - Introduction 3 2.
More informationPhysical Memory File Extraction Based on File Object Analysis
Physical Memory File Extraction Based on File Object Analysis Youngbok Kang(K-dupe) with Phd Hyunuk Hwang and Phd Kibom Kim Chonnam National University SSRC Content Background File Object Analysis File
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationChapter 2: System Structures. Operating System Concepts 9 th Edition
Chapter 2: System Structures Silberschatz, Galvin and Gagne 2013 Chapter 2: System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs
More informationIntroduction to Windows internals.
Introduction to Windows internals pavel.turbin@f-secure.com kimmo.kasslin@f-secure.com 2 Architecture 3 Windows architecture 4 System Mechanisms 5 Kernel-mode & user-mode 0xFFFFFFFF System-space (Ring
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationMotivation. Threads. Multithreaded Server Architecture. Thread of execution. Chapter 4
Motivation Threads Chapter 4 Most modern applications are multithreaded Threads run within application Multiple tasks with the application can be implemented by separate Update display Fetch data Spell
More informationCompTIA A+ Certification ( ) Study Guide Table of Contents
CompTIA A+ Certification (220-902) Study Guide Table of Contents Course Introduction About This Course About CompTIA Certifications Module 1 / Supporting Windows 1 Module 1 / Unit 1 Windows Operating System
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationWindows Live Acquisition/Triage Using FOSS and AChoir
Windows Live Acquisition/Triage Using FOSS and AChoir Who Am I D0n Quix0te @OMENScan or OMENScan@Gmail.com Creator of OMENS, OMENSApp, AChoir Global Incident Response @ Live Nation 16 Years @ NASA 7 Years
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction
More informationCS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
More informationTrustedinstaller Failed To Read Description. Error Code 2
Trustedinstaller Failed To Read Description. Error Code 2 Is the TrustedInstaller service startup type set to automatic? Description: The ipoddrv service failed to start due to the following error: %%2.
More informationQuick Start Guide. Version R94. English
Backup Quick Start Guide Version R94 English December 12, 2016 Copyright Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS
More informationThis version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems
Scientific Working Group on Digital Evidence Capture of Live Systems Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail
More information