a guest Jul 18th, 2019 86 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ### Forensics
  2. Forensics involves collecting evidence.  The job of the forensics investigator is to determine what happened on the machine.  It has typically involved examining machines collected from locations, but recently 'live forensics' or the examination of the working machine in place has become more common.  Live forensics enable the researcher to do a memory dump and analyze what is happening in memory.  This would not be possible if a machine was shut down and transported for analysis.
  4. The lecture mention four important principles for forensics:
  5. 1. Minimize data loss
  6. 2. Record Everything
  7. 3. Analyze all data collected
  8. 4. Report Findings
  10. When recording evidence you should start with the time and system time.  It is important to have proper time recordings so that a timeline of events can be reconstructed.
  12. Triage is a concept mentioned in the lectures where multiple sources of evidence such as registry values and log files are examined and each supports the same conclusion.  If you want to investigate a particular question, it is good to examine all evidence which might determine the answer, and all should be consistent.
  14. Incident Response (IR) is the methodology for a team to respond to an ongoing attack.
  16. DMZ is a zone in the corporate network that is between the internal network and the internet.  This is where applications which need internet access would reside and there would be firewalls on both ends of the zone.
  18. A typical incident might involve the attackers penetrating the outer firewall, infecting a device in the DMZ, and then further attempting to penetrate the inner firewall to access the internal network.  The incident response would need to collect log data from all these devices and synchronize them.
  20. The order of volatility - information which is more volatile, should be collected first.  System memory is the first item to be captured, along with any other data that would be erased when the system shuts down.
  24. #### Forensic Tools:
  25. ##### FTK Imager -
  26.  - The 'capture memory' button creates a memory dump file. This is all the raw contents of memory, which includes the memory used by the tool itself.
  27.  - 'Add evidence item' opens a read-only view. For example, adding the physical drive will display all contents of the drive without copying or modifying
  28.     root\$MFT is the master file table
  29.  - 'Create disk image', select disk, select output'raw'
  32.  Memory dumps can show almost all activities which are occuring.  It is one of the most useful analysis techniques because it has so much valuable information.
  34. ##### Volatility -
  35.  This runs from the command line. It is easiest to put the .exe file and the memory dump file in the same folder.  Then run volatility on the memory dump with some plugin option. These are some plugins which I ran:
  37.  imageinfo
  38.  This is useful for identifying the profile.  In this case Win7SP0x86
  39.  Then other plugins can be run with --profile=Win7SP0x86 attribute
  41.  ![Image](volatility_imageinfo.png "imageinfo")
  43.  psscan
  44. this lists the processes which were running on the system
  46.  ![Image](volatility_psscan.png "psscan")
  48.  dlllist <pid>
  49.  this displays the dlls called by a particular process identifying
  51.  ![Image](volatility_dlllist.png "dlllist")
  53.  netscan
  54.  this displays network activity
  56.  deskscan
  57.  shows the different desktops which the processes are assigned to
  59.  getsids
  60.  displays which user rights the processes are running under
  63.  timeliner --output=body
  64.  creates a timeline of events including processes and network activity
  66.  mftparser --output=body
  67.  outputs master file table $MFT
  69. ##### Windows Registry
  70. Hierarchical database storing configuration data for users, devices, and more.  It contains tons of information and timestamps recording what was accessed, by whom, and when.
  71. Two 'real' hives: HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM)
  72. RegEdit
  74. Within the registry there are common locations for malware such as: autorun, MRU lists, USB devices, IE history
  76. Other forensics locations:
  77. Browser logs
  78. Anivirus logs
  79. Windows prefetch folder
  80. System Restore Points
  83. Data Recovery/Data Carving-
  84. Deleted files remain on disk until they are overwritten.  This data can be recovered via a special program which scans the disk for file header and footers.  The header identifies the start of the file and the type of the file.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!