Volatile Data Acquisition & Analysis
|
|
- Louisa Montgomery
- 5 years ago
- Views:
Transcription
1 Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014
2 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical Memory (RAM) Virtual Memory (Pagefile.sys) Hibernation File Virtual Machine RAM (*.vmem) Describes the state of the system at a particular point in time Types of volatile information include: System time Logged-on user(s) Open files Network information Network connections
3 ACTIVE USERS! Determine who is actively logged on a compromised system is important. The psloggedon command will display all users that are currently active on the local system, in addition to users active on the system via remote resources.!
4 SYSTEM INFORMATION The psinfo command will capture a tremendous amount of volatile data, in addition to specific hardware information that may be useful later in the investigation. Information captured by this utility is as follows: System Uptime Kernel Build Install Date Registered Organization & Owner Processors Information Physical Memory Disk Volume Information (-d switch) Installed Applications (-s switch) Installed hotfixes (-h switch)! By knowing what applications and hotfixes are installed, one may be able to help determine what vulnerabilities are present on the system.
5 SYSTEM INFORMATION
6 FILE LISTING Another important command to execute is one that captures a complete file listing of all files and directories on the system. This will create a snapshot of all files along with their timestamps. There are several options with the dir command that will document and sort the file listing by access date, modified date or creation date. Some of the more important options are listed below:! /t = gets time stamp /a = shows all files /s = recursive listing /Q = shows files owners /o:d = sorts by date
7 FILE LISTING Examples of the command are listed below. The following commands will sort the file listing by access data, modified data and creation date, respectively. The following commands will capture a recursive file listing from the root of the C:\ drive. If the incident only warranted a certain directory or user s account, then the last option of the command could be modified.! \dir /t:a /a /s /Q /o:d c:\ \dir /t:w /a /s /Q /o:d c:\ \dir /t:c /a /s /Q /o:d c:\
8 OPEN NETWORK PORTS Netstat is another utility that can be used for documenting all open ports. As indicated before, there are numerous options available. The four options that should be used are indicated below:! F:\netstat.exe -anob -a = displays all connection and listening ports -n = displays the numerical addresses -b = displays the executable involved -o = displays the owning process ID
9 OPEN NETWORK PORTS
10 RUNNING PROCESSES Pslist is a utility that documents all of the running processes currently active on a system. This utility is useful in identifying and documenting any unauthorized processes running on a compromised system. An example of the command and useful options are detailed below:! pslist.exe tdmx -t = process list in tree format -d = shows thread detail -m = shows memory detail -x = shows processes, memory information and threads
11 RUNNING PROCESSES
12 ACTIVE DLLs ListDLLs is a utility that will document and display all DLLs that are currently loaded and associated with a specific process or process ID. If a rogue application or process is running, documenting what DLLs are associated with the process could be critical information for later examination and reengineering efforts.! \listdlls.exe uv -u = list unsigned DLLs -v = display DLL version information processname = displays all DLLs loaded by a process pid = displays all DLLs associated with a pid
13 PHYSICAL NETWORK CONNECTIONS In addition to documenting and recording processes, opened files and active users, it is equally important to record the current network configuration. This will help document the current network settings, MAC address, connected network and assigned IP address. An example of the command and useful options are detailed below:! \ipconfig /all /all = displays detailed information
14 PHYSICAL NETWORK CONNECTIONS
15 INSTALLED SERVICES Psservices utility can be used to document and record all installed services on the system. The information can be used as a starting point to see if any of the installed services have known exploits. An example of the command is detailed below:! \psservices.exe
16 INSTALLED SERVICES
17 EVENT LOGS The next set of commands is used to deal with event logs. Event logs can be critical in documenting and reporting permission changes, installation activities and user account access, to only name a few. The auditpol /get utility can be used to determine the current audit log policy. This can help determine what policies are currently running on the system and may help explain what logs are and are not seen in the event logs. Psloglist is a utility that will extract all of the event logs from the various event logs in an easily viewable format.! \psloglist.exe -x system (extracts system event logs) \psloglist.exe -x security (extracts security event logs) \psloglist.exe -x application (extracts application event logs)
18 EVENT LOGS
19 LOGIN / LOGOFF EVENTS The ntlast utility can be used to only document and record user logon and logoff events. This may be helpful to document so that extensive time is not wasted mining through the extensive event logs (EVT) on a properly configured system. When used with the verbose option (-v), all logon, logoff and duration entries are extracted.! ntlast.exe v
20 REMOTE FILES The psfile utility can be used to document and record all files that are remotely open on the system from which it is executed. The utility also has the capability to close any of the open files.!
21 OPEN FILES AND FOLDERS The handle utility can be used to document and record, which program has a certain file and/or directory open. If a rogue application has been identified, this command would help determine what the application is doing by showing what files and/or folders are being accessed by the rogue application.!
22 OPEN FILES AND FOLDERS
23 EFS ENCRYPTED FILES One final command that may be useful will identify if any files on the target system are encrypted utilizing NTFS s built-in encryption algorithm. The encryption algorithm is referred to as Encrypting File System (EFS) and is supported on any system running Windows 2000 and newer. Additionally, the hard drive must be formatted as NTFS. The EFS encryption password is directly tied to the user s account that encrypted the file. If EFS encrypted files are identified, it is recommended that the files be exported to a FAT32 formatted thumb drive. By exporting to a FAT32 thumb drive, the encryption will be lost, because FAT32 does not support EFS. In other words, if you are investigating a live box and you have access to the decrypted files, copy the files out before the system is shutdown or the user s account is logoff, rendering the decrypted files unreadable. An example of the command and useful options are detailed below:! C:\cipher /U /N! The /U /N options will identify all encrypted files on all attached volumes.
24 EFS ENCRYPTED FILES
25 EFS ENCRYPTED FILES
26 BATCH FILES All of the data generated from the above commands can be exported to a text file using the output switch (>). An example of this exportation feature would be:! psloggedon.exe > e:\trusted_thumb_drive\active_users.txt! For efficiency, a script could be created to automatically run each of these commands and send all of the outputs to individual files or append all of the outputs (>>) to a single text file. An example of a scripting would be:! date > e:\ trusted_thumb_drive\results.txt time >> e:\ trusted_thumb_drive\results.txt psloggedon.exe >> e:\ trusted_thumb_drive\results.txt psinfo.exe h s d >> e:\psinfo.exe h s d date >> e:\ trusted_thumb_drive\results.txt time >> e:\ trusted_thumb_drive\results.txt! The date and time commands are a great way to document when the incidence response actions were started and finished. Remembering that documentation is a major factor when dealing with an evidentiary scenario. When capturing the system s data and time settings, it is important to document any discrepancies. This information will be critical, if discrepancies do exist. If timeline analysis becomes a necessary analysis tool, then knowing any date and/or time differences would be critical so that examination conclusions are based on accurate facts of the incident.
27 BATCH FILES Another way to record the volatile data is to set up a forensic workstation and utilize the netcat program. Netcat can be used to send the data from the target system to the forensic workstation over a network connection. On the forensic workstation, the following command will start a netcat session using port 2222 and record the incoming data to a text file named pslist.txt:! nc l p 2222 > pslist.txt! Once the listening port has been established on the forensic workstation, any command can be executed on the compromised system and the volatile data can be recorded on the forensic workstation. The command listed below will execute the pslist command and send the output to the forensic workstation over port 2222:! pslist nc
28 VOLATILE DATA - OS X Volatile Data: Command: Switch Operation: Date and Time date N/A List of Commands Run history N/A List Users id N/A Users Logged On w N/A System Uptime uptime N/A File Time Stamps ls -alru / ls -alrc / ls -alr / l = long listing R = Recursive Listing u = access time c = modification time w/o u or c = create time Network Connections netstat -anp a = display all ports n = indicates numerical addresses Running Processes ps -a N/A Network Config ifconfig N/A Last Logins of Users last N/A Mounted File Systems df -ah a = show all mount points H = human readable sizes Password Hashes cat N/A Open Files lsof N/A
29 VOLATILE DATA - LINUX Volatile Data: Command: Switch Operation: Users Logged On w N/A Date and Time Date N/A System Uptime uptime N/A File Time Stamps ls -alru / ls -alrc / ls -alr / l = long listing R = Recursive Listing u = access time c = modification time w/o u or c = create time Network Connections netstat -anop a = display all ports n = indicates numerical addresses o = networking timers p = process ID Running Processes Ps -aux N/A Network Config ifconfig N/A Log Data last N/A Kernal Modules lsmod N/A Mounted File Systems df -ah a = show all mount points H = human readable sizes Password Hashes cat N/A Open Files lsof N/A
30 RAM CAPTURE This process will change / alter evidence. Documentation is very important when deciding to extract physical memory. There is no current method to write-protect physical memory. Why memory should be captured: Running processes Network Connections Configuration Parameters Encryption Keys Passwords Memory-only exploits Data carving (INFO2, lnk files, graphic files, internet artifacts (i.e. session cookies), etc.)
31 RAM CAPTURE
32 RAM CAPTURE
33 RAM CAPTURE
34 ACCESSDATA S FTK
35 ACCESSDATA S FTK
36 VOLATILITY
37 MANDIANT REDLINE Mandiant offers a free memory acquisition and analysis tool for the Windows and Macintosh platform called Memoryze. This tool is specially designed to aid the incident response team in identifying malicious activity or evidence of such activity in the physical memory. Memoryze is capable of capturing the physical memory and analyzing raw images of physical memory even if the program didn t initially capture it. The feature list is extensive but capable of everything between enumerating all hidden and unhidden running processes to identifying all drivers loaded in memory.! User Guide:
38 MANDIANT REDLINE
39 MANDIANT REDLINE
40 MANDIANT REDLINE
41 MANDIANT REDLINE
42 MANDIANT REDLINE
43 MANDIANT REDLINE
44 MANDIANT REDLINE
45 MANDIANT REDLINE
46 MANDIANT REDLINE
47 MANDIANT REDLINE
48 MANDIANT REDLINE
49 MANDIANT REDLINE
50 MANDIANT REDLINE
51 MANDIANT REDLINE
52 OSTRIAGE
53 OSTRIAGE
54 OSTRIAGE
55 OSTRIAGE
56 OSTRIAGE
57 OSTRIAGE
58 OSTRIAGE
59 OSTRIAGE
60 OSTRIAGE
Chapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More information15-Minute Linux DFIR Triage. Dr. Phil Polstra Bloomsburg University of Pennsylvania
15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this talk about? Determining with some certainty if you have been hacked In a matter of minutes With minimal disturbance
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationIncident Response Toolkit :
Incident Response Toolkit : Initial Incident Response Handling Sunday, August 24, 2003 Balwant Rathore, CISSP Founder, Open Information System Security Group 1 Index Keep the Toolkit CD Handy Sample Toolkit
More informationRESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS
RESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS Responding to the Most Common Windows NT/2000 Attacks: With the increase in the number of attacks against Windows-based Web servers, it is becoming
More informationMacintosh Forensic Survival Course
Macintosh Forensic Survival Course Duration: 5 days/level Date: On demand Venue: On demand Language: English Seat availability: On demand (recommended no more than 12) Learning Objectives: Macintosh Forensic
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationWindows Core Forensics Forensic Toolkit / Password Recovery Toolkit /
The Windows Forensics Core Training follows up the AccessData BootCamp training. This advanced AccessData training class provides the knowledge and skills necessary to use AccessData products to conduct
More information10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?
Live Acquisition Objectives Understand what Live Acquisition is and when it is appropriate Understand the concept of Order of Volatility Understand live acquisition issues and limitations Be able to perform
More informationTanium Incident Response User Guide
Tanium Incident Response User Guide Version 4.4.3 September 06, 2018 The information in this document is subject to change without notice. Further, the information provided in this document is provided
More informationRemote Device Mounting Service
HOW TO USE REMOTE DEVICE MOUNTING SERVICES The Remote Data Mounting Services (RDMS) lets you acquire live evidence from active and remote network computers. You can gather many types of active information
More informationWindows Live Acquisition/Triage Using FOSS and AChoir
Windows Live Acquisition/Triage Using FOSS and AChoir Who Am I D0n Quix0te @OMENScan or OMENScan@Gmail.com Creator of OMENS, OMENSApp, AChoir Global Incident Response @ Live Nation 16 Years @ NASA 7 Years
More informationBlue Team Handbook: Incident Response Edition
Blue Team Handbook: Incident Response Edition A condensed field guide for the Cyber Security Incident Responder. By: Don Murdoch, GSE, MBA, CISSP+14 Version 2.0 1. Blue Team Handbook - Introduction 3 2.
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationThis version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems
Scientific Working Group on Digital Evidence Capture of Live Systems Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationBelkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM
Belkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM INTRODUCTION Belkasoft Essentials is intended for investigators of any level of expertise who want to acquire hands-on skills in computer, mobile
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationLinux Command Line Primer. By: Scott Marshall
Linux Command Line Primer By: Scott Marshall Draft: 10/21/2007 Table of Contents Topic Page(s) Preface 1 General Filesystem Background Information 2 General Filesystem Commands 2 Working with Files and
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationFreeware Live Forensics tools evaluation and operation tips
Edith Cowan University Research Online Australian Digital Forensics Conference Security Research Centre Conferences 2006 Freeware Live Forensics tools evaluation and operation tips Ricci Ieong ewalker
More informationAccessData Forensic Toolkit 5.5 Release Notes
AccessData Forensic Toolkit 5.5 Release Notes Document Date: 8/20/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationAccessData Triage 2.3 Release Notes
AccessData Triage 2.3 Release Notes Document Date: August 26, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationn Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic
Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationDigital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard
Outline Digital Forensics Jason Trent Laura Woodard What is Digital Forensics Who uses it Why is it used Where is it used JBRWWW Example March 9, 2006 Outline cont. Info you can find/use from volatile
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationThe Big Chill. Freezing Data for Analysis
The Big Chill Freezing Data for Analysis The Magic Button Absolute Zero Processes Disks Memory Network Internet... Or, speed yourself up Heisenberg s Principle of System Analysis Real - impossible to know
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationQuantifying FTK 3.0 Performance with Respect to Hardware Selection
Quantifying FTK 3.0 Performance with Respect to Hardware Selection Background A wide variety of hardware platforms and associated individual component choices exist that can be utilized by the Forensic
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationAnalysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014
Email Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014 EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationUser Guide for COFEE v1.1.2
User Guide for COFEE v1.1.2 Release Date: September 2009 Copyright Reserved Table of Contents Introduction... 1 What is COFEE?... 2 Digital Forensics Attributes and Principles... 2 Volatile Information
More informationAccessData AD Lab Release Notes
AccessData AD Lab 6.2.1 Release Notes Document Date: 4/24/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for this
More informationECCouncil Computer Hacking Forensic Investigator (V8)
ECCouncil 312-49v8 ECCouncil Computer Hacking Forensic Investigator (V8) Version: 9.0 QUESTION NO: 1 ECCouncil 312-49v8 Exam What is the First Step required in preparing a computer for forensics investigation?
More informationAccessData AD Enterprise Release Notes
AccessData AD Enterprise 6.5.1 Release Notes Document Date: 07/30/2018 2018 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationHow to create a System Logon Account in Backup Exec for Windows Servers
How to create a System Logon Account in Backup Exec for Windows Servers Problem How to create a System Logon Account in Backup Exec for Windows Servers Solution The Backup Exec System Logon Account (SLA)
More informationAccessData Forensic Toolkit Release Notes
AccessData Forensic Toolkit 5.3.3 Release Notes Document Date: 5/19/2014 2014 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues
More informationUser Manual. Admin Report Kit for IIS 7 (ARKIIS)
User Manual Admin Report Kit for IIS 7 (ARKIIS) Table of Contents 1 Admin Report Kit for IIS 7... 1 1.1 About ARKIIS... 1 1.2 Who can Use ARKIIS?... 1 1.3 System requirements... 2 1.4 Technical Support...
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 11, 2016 An overview to incident response Detection Analysis Containment Investigation
More informationmsis Security Policy and Protocol
msis Security Policy and Protocol Introduction This Policy details the secure use of msis as a tool for the capture and reporting of internet intelligence and investigations (i3). msis is a powerful i3
More informationSYSTEM SPECIFICATIONS GUIDE
SYSTEM SPECIFICATIONS GUIDE AD Enterprise NETWORK INVESTIGATION AND POST-BREACH ANALYSIS v6.5 Revision (May 8, 2018) www.accessdata.com Contents AccessData Enterprise Overview and System Specifications
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More informationAccessData Imager Release Notes
AccessData Imager 4.1.1 Release Notes Document Date: 7/19/2017 2017 AccessData Group, Inc. All rights reserved. Introduction This document lists the changes in this release of AccessData Imager. All known
More informationPass Microsoft Exam
Pass Microsoft 98-367 Exam Number: 98-367 Passing Score: 700 Time Limit: 45 min File Version: 51.0 http://www.gratisexam.com/ Pass Microsoft 98-367 Exam Exam Name: Security Fundamentals Certdumps QUESTION
More informationNCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition
NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition Document Reference: Security Tools Internal NIAPC Submission NIAPC Category: Forensics Date Approved for Submission: 24-04-2007 Evaluation/Submission
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Investigative Process Analysis Framework File Systems FAT NTFS EXT2/EXT3 last
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationFTK Imager 2.9 Release Notes
FTK Imager 2.9 Release Notes These release notes apply to AccessData FTK Imager 2.9 IMPORTANT INFORMATION If the machine running imager has an active internet connection and you are viewing HTML from the
More informationAccessData Imager Release Notes
AccessData Imager 4.2.0 Document Date: 11/21/2017 2017 AccessData Group, Inc. All rights reserved. This document lists the changes in this release of AccessData Imager. All known issues published with
More informationChrome Nuts and Bolts: Chrome OS / Chromebook forensics. Jad Saliba and Jessica Hyde
Chrome Nuts and Bolts: Chrome OS / Chromebook forensics Jad Saliba and Jessica Hyde Jad s Introduction Hello, my name is Jad Saliba Hi Jad! Founder and CTO - Magnet Forensics Former Digital Investigator
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationACCESSDATA FTK RELEASE NOTES
ACCESSDATA FTK 3.3.0 RELEASE NOTES INTRODUCTION This document provides important information relative to the use of FTK 3.3.0. IMPORTANT INFORMATION If the machine running Imager or FTK has an active internet
More informationLab Working with Linux Command Line
Introduction In this lab, you will use the Linux command line to manage files and folders and perform some basic administrative tasks. Recommended Equipment A computer with a Linux OS, either installed
More informationTraining for the cyber professionals of tomorrow
Hands-On Labs Training for the cyber professionals of tomorrow CYBRScore is a demonstrated leader in professional cyber security training. Our unique training approach utilizes immersive hands-on lab environments
More informationAccessData Forensic Toolkit 6.2 Release Notes
AccessData Forensic Toolkit 6.2 Release Notes Document Date: 4/3/2017 2017 AccessData Group, Inc. All rights reserved Introduction This document lists the new features, fixed issues, and known issues for
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationBasic Linux Security. Roman Bohuk University of Virginia
Basic Linux Security Roman Bohuk University of Virginia What is Linux? An open source operating system Project started by Linus Torvalds kernel Kernel: core program that controls everything else (controls
More informationLinux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM. Nz Paper Linux and Web Application Security. Zeeshan Khan 4/15/2013
1 Linux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM Nz Paper Linux and Web Application Security Zeeshan Khan 4/15/2013 2 Abstract: As Passwords and other Linux Data play an important role
More informationProduct Questions: 486 Version: 12.0
Vendor: Eccouncil Exam Code: 312-49 Exam Name: Computer Hacking Forensic Investigator Exam v9 Version: DEMO Question: 1 Product Questions: 486 Version: 12.0 This organization maintains a database of hash
More informationLinux Memory Analysis with Volatility. Andrew Case Digital Forensics Solutions
Linux Memory Analysis with Volatility Andrew Case Digital Forensics Solutions Purpose of the Talk To highlight the Linux analysis capabilities integrated into the Volatility framework within the last year
More informationFile System NTFS. Section Seven. NTFS, EFS, Partitioning, and Navigating Folders
13 August 2002 File System Section Seven NTFS, EFS, Partitioning, and Navigating Folders NTFS DEFINITION New Technologies File System or NTFS was first applied in Windows NT 3.0 back in 1992. This technology
More informationDetecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009
Detecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009 Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Cybercrime Task
More informationAccessData Imager Release Notes
AccessData Imager 3.4.2 Document Date: 3/29/2016 2015 AccessData Group, Inc. All rights reserved. This document lists the changes in this release of AccessData Imager. All known issues published with previous
More informationBasic Linux Command Line Interface Guide
This basic Linux Command-Line Interface (CLI) Guide provides a general explanation of commonly used Bash shell commands for the Barracuda NG Firewall. You can access the command-line interface by connecting
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationAccessData Imager Release Notes
AccessData Imager 3.4.3 Release Notes Document Date: 11/4/2016 2016 AccessData Group, Inc. All rights reserved. Introduction This document lists the changes in this release of AccessData Imager. All known
More informationAccessData Triage 2.4 Release Notes
AccessData Triage 2.4 Release Notes Document Date: October 25, 2013 2013 AccessData Group, Inc. All rights reserved Introduction These Release Notes cover important information, new features, and fixed
More informationNotes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.
EF-1. All protocols used between the different components in the distributed architecture (management server, agents, database, forensic analyst system, etc) shall be encrypted and signed. EF-2. The Enterprise
More informationKillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ
KillTest Exam : 312-49v8 Title : ECCouncil Computer Hacking Forensic Investigator (V8) Version : Demo 1 / 6 1.What is the First Step required in preparing a computer for forensics investigation? A. Do
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationContact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday
Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10
More informationLinux Systems Administration Getting Started with Linux
Linux Systems Administration Getting Started with Linux Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International
More informationFile systems security: Shared folders & NTFS permissions, EFS Disk Quotas
File systems security: Shared folders & NTFS permissions, EFS Disk Quotas (March 23, 2016) Abdou Illia, Spring 2016 1 Learning Objective Understand Shared Folders Assign Shared Folder permissions NTFS
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationAccessData FTK Quick Installation Guide
AccessData FTK Quick Installation Guide Document date: May 20, 2014 2014 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system,
More informationSoftware Vulnerability Assessment & Secure Storage
Software Vulnerability Assessment & Secure Storage 1 Software Vulnerability Assessment Vulnerability assessment is the process of identifying flaws that reside in an OS, application software or devices
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationContact Details and Technical Information
Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationThe Wonderful World of Services VINCE
The Wonderful World of Services VINCE Agenda definitions services for Windows and Linux breaks? auditing Linux logs for Linux useful tools Goals develop a better understanding of Linux and Windows services
More informationForensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation
Forensics Challenges Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation Introduction Encrypted content is a challenge for investigators Makes it difficult
More information70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced. Chapter 7: Advanced File System Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management Objectives Understand and configure file and folder attributes Understand
More informationAdvanced Security Measures for Clients and Servers
Advanced Security Measures for Clients and Servers Wayne Harris MCSE Senior Consultant Certified Security Solutions Importance of Active Directory Security Active Directory creates a more secure network
More informationDetecting Computer Intrusions: Are You Pwned?
Detecting Computer Intrusions: Are You Pwned? Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Former computer crime investigation instructor
More information2014 Software Global Client Conference
GEN TSS-03 Advanced Troubleshooting & Tools for Products and Solutions Presented by: Pierluigi Iodice Global Solution Support Engineer Email: pierluigi.iodice@schneider-electric.com Agenda We will discuss:
More informationCNIT 121: Computer Forensics. 14 Investigating Applications
CNIT 121: Computer Forensics 14 Investigating Applications Applications Not part of the operating system User applications Internet browsers, email clients, office suites, chat programs, and more Service
More informationNational University of Computer and Emerging Sciences Operating System Lab - 02 Lab Manual
National University of Computer and Emerging Sciences Operating System Lab - 02 Lab Manual Objective This lab is all about running commands in Ubuntu Terminal and compiling C program in Ubuntu Table of
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationShell Items, Eventlogs, Forensics
Shell Items, Eventlogs, Email Forensics Georgi Nikolov today Shell Items What are shell items? Figure 1: www.pinterest.com Shell Items Overview Data or file holding information for accessing another file
More informationThese views are mine alone and don t reflect those of my employer
These views are mine alone and don t reflect those of my employer You are compromised - Player (1) Insert coin - If? When? Why? login: root Password: ********** Welcome back, root. root@localhost:~# _
More information