Live Forensics

75 %
25 %
Information about Live Forensics

Published on November 14, 2008

Author: ctin

Source: slideshare.net

Are you alive? Gordon Mitchell Future Focus, Inc aka bug-killer, eSleuth, …

Gordon Mitchell

Future Focus, Inc

aka bug-killer, eSleuth, …

Shocking news Federal judges now briefed on need for live forensics Defense may object to your leaving out 2GB of evidence (RAM) It may never be possible to find the important issues without live forensics.

Federal judges now briefed on need for live forensics

Defense may object to your leaving out 2GB of evidence (RAM)

It may never be possible to find the important issues without live forensics.

Ovie Carroll, DOJ at SANS Summit Current forensics does not scale Defense may ask about RAM need to collect even if it is not analyzed always need to focus on user attribution user attribution must be in search warrant

Ovie Carroll, DOJ at SANS Summit

Current forensics does not scale

Defense may ask about RAM

need to collect even if it is not analyzed

always need to focus on user attribution

user attribution must be in search warrant

Don’t pull the plug Get status of network Check all running processes List the users, shares, … Grab RAM

Get status of network

Check all running processes

List the users, shares, …

Grab RAM

My info sources Harlan Carvey’s book – a great resource SANS Summit – the future of forensics Software vendors X-Ways Forensics (good forensics analysis) F-Response (remote connection to HD & RAM) Sysinternals (superb for Windows diagnostics) Mandiant (PC profiling) HBGary (impressive RAM parsing & analysis)

Harlan Carvey’s book – a great resource

SANS Summit – the future of forensics

Software vendors

X-Ways Forensics (good forensics analysis)

F-Response (remote connection to HD & RAM)

Sysinternals (superb for Windows diagnostics)

Mandiant (PC profiling)

HBGary (impressive RAM parsing & analysis)

Sysinternals

Prevent popup EULA

Batch file of commands fuzzy hashing finds almost-same files, finds alterations, partial files ssdeep -r <files> (to generate) Ssdeep -m file_of_hashes [options] (to compare)

fuzzy hashing

finds almost-same files, finds alterations, partial files

ssdeep -r <files> (to generate)

Ssdeep -m file_of_hashes [options] (to compare)

active registry monitor arm_db.rgf $40 (only runs thru XP) allows registry diff, run before and after installation InCtrl5 $7 (only runs thru W2K) application installer analyzer keeps track of what changes happen on install mdd.exe, from ManTech (no good on Vista) volitality, voltage, etc from AAron Walters

active registry monitor arm_db.rgf $40 (only runs thru XP)

allows registry diff, run before and after installation

InCtrl5 $7 (only runs thru W2K)

application installer analyzer

keeps track of what changes happen on install

mdd.exe, from ManTech (no good on Vista)

volitality, voltage, etc from AAron Walters

See Windows Forensic Analysis by Harlan Carvey di (physical disk info) ldi (logical disk info) sr (restore point settings from xp, no harm in Vista) lsproc (gets processes from memory) lspd (file name and offset from lsproc file to get process details)

See Windows Forensic Analysis by Harlan Carvey

di (physical disk info)

ldi (logical disk info)

sr (restore point settings from xp, no harm in Vista)

lsproc (gets processes from memory)

lspd (file name and offset from lsproc file to get process details)

Free tools from Mandiant Command line tools for minimal impact on target system Grab important info on machine condition Can collect for later comparison Console lets results from individual systems be compared

Command line tools for minimal impact on target system

Grab important info on machine condition

Can collect for later comparison

Console lets results from individual systems be compared

Mandiant

 

Collecting RAM -- a demo in Vista! Target machine Start F-Response client Analysis machine Start X-Ways Forensics (recent version) Set up iSCSI initiator Add medium to case Search or save

Target machine

Start F-Response client

Analysis machine

Start X-Ways Forensics (recent version)

Set up iSCSI initiator

Add medium to case

Search or save

Tools from HBGary Analyze RAM Suspect stuff is identified $3500 basic GUI version – It really works!

Analyze RAM

Suspect stuff is identified

$3500 basic GUI version – It really works!

 

New news – it’s not all on the hard drive

Thanks for coming... (888) eSleuth www.eSleuth.com [email_address]

(888) eSleuth www.eSleuth.com

[email_address]

Add a comment

Related pages

DEFT Linux - Computer Forensics live CD

Ecco il programma definitivo della quarta conferenza nazionale del sistema DEFT organizzata dall’ASSOCIAZIONE NO PROFIT DEFT. DEFT CONFERENCE 2015
Read more

Live Forensics Using WFT - Fool Moon

Live Forensic Tools hunt.exe ipconfig.exe iplist.exe ipxroute.exe listdlls.exe mac.exe mdmchk.exe mem.exe nbtstat.exe net.exe netstat.exe netusers.exe now ...
Read more

CAINE Live USB/DVD - computer forensics digital forensics

CAINE Computer Aided INvestigative Environment Live CD/DVD, computer forensics, digital forensics
Read more

Incident Response: Live Forensics and Investigations

TIPVS. LIVE FORENSICS Postmortem and live forensics are both great evidence gathering tech-niques. However, in cases where you can only conduct a postmortem
Read more

What is Live Forensics? - MacForensicsLab

Defining what live forensics is and how it can be a big benefit for forensic investigation.
Read more

Tools - ForensicsWiki

2 Enterprise Tools (Proactive Forensics) 3 Forensics Live CDs; 4 Personal Digital Device Tools. 4.1 GPS Forensics; 4.2 PDA Forensics; 4.3 Cell Phone Forensics;
Read more

Practical Infeasibility of Android Smartphone Live Forensics

Lehrstuhl für Informatik 1 Friedrich-Alexander-Universität Erlangen-Nürnberg Master’s Thesis Practical Infeasibility of Android Smartphone Live Forensics
Read more

Windows Live Forensics (Part 1 of 2) - YouTube

This video illustrates some common forensic tools that can be used to acquire evidence from a running Windows system.
Read more

Live forensics - Association for Computing Machinery

Live forensics gathers data from running systems, providing additional contextual information that is not available in a disk-only forensic analysis.
Read more

Forensik – Wikipedia

Val McDermid: Forensics – The Anatomy of Crime. Profile Books Limited, London 2014, ISBN 978-1-84765-990-3; Weblinks Arbeitskreis forensisch ...
Read more