Incident Response & Computer Forensics, Third Edition
by Jason T. Luttgens, Matthew Pepe, Kevin Mandia
McGraw-Hill Education
ISBN: 978-0-07-179869-6
| Page | Notes |
|---|---|
| Tandy 1000SX | |
| Mandiant | |
| industrial espionage | |
| data theft | |
| Jed Mitten | |
| Highlighter log analysis tool | |
| NASA | |
| computer forensics | |
| incident response | |
| research and development | |
| forensics | |
| 9/11 | |
| USAF | |
| Office of Special Investigations (OSI) | |
| DoD - Computer Forensics Laboratory | |
| Linthicum, Maryland | |
| expert witness | |
| 18th Communications Squadron | |
| Kadena Air Base | |
| Okinawa, Japan | |
| George Mason University | |
| computer science | |
| Matthew Pepe | |
| AFOSI | |
| Pentagon | |
| subject matter expert | |
| Foundstone | |
| Trident Data Systems | |
| Sytex | |
| SCSI, SCSI terminator | |
| Kevin Mandia | |
| Chief Operating Officer (COO) | |
| FireEye | |
| 7th Communications Group; The Pentagon | |
| Ernst and Young | |
| Washington | |
| Lafayette College | |
| Master’s Degree, Bachelor’s Degree | |
| The George Washington University | |
| Marshall Heilman | |
| information security | |
| security assessment | |
| high tech crime | |
| staff sergeant | |
| USMC | |
| Ryan Kazanciyan | |
| penetration testing | |
| public sector, private sector | |
| law enforcement | |
| red team | |
| Windows | |
| Unix | |
| economics | |
| Duke University | |
| Curtis W. Rose and Associates | |
| Columbia, Maryland | |
| litigation | |
| intrusion response | |
| “Real Digital Forensics: Computer Security and Incident Response” | |
| “Handbook of Digital Forensics and Investigations” | |
| “Malware Forensics Field Guide for Windows Systems” | |
| “Malware Forensics Field Guide for Linux Systems” | |
| “Malware Forensics: Investigating and Analyzing Malicious Code” | |
| “SQL Server Forensic Analysis” | |
| “Anti-Hacker Toolkit” | |
| “Network Security: The Complete Reference” | |
| xv | incident response has changed significantly |
| incident response used to be a “three to ten host problem” | |
| attack surface | |
| smash and grab | |
| attackers are more patient in 2014 than 2004 | |
| dwell time: months to years | |
| reconnaissance | |
| “attackers know the network as well as the IT department” | |
| nation state | |
| cybercrime | |
| credit card | |
| PII | |
| attackers and defenders have evolved | |
| visibility | |
| enterprise-wide | |
| intrusions have global and economic impact | |
| SVP | |
| Chief Legal Officer | |
| David Drummond | |
| xvi | China |
| stock price impact due to incident disclosure | |
| Baidu | |
| preparation is the most important part of incident response | |
| tricks of the trade | |
| tools of the trade | |
| “Rootkits: Subverting the Windows Kernel” | |
| James R. Butler | |
| BlackHat | |
| Steve Surdu | |
| Kris Kendall | |
| Ken Bradley | |
| Jed Mitten | |
| Chuck Willis | |
| Kris Harms | |
| Bred Padres | |
| Ben Rubin | |
| Nicholas Harbour | |
| David Ross | |
| Tony Dell | |
| Charles Coe | |
| Greg Dominguez | |
| Richard Wilkinson | |
| Marshall Heilman | |
| Ryan Kazanciyan | |
| Jeff Hamm | |
| Juston Prosco | |
| Willi Ballenthin | |
| Ryan Benson | |
| Nikes Akens | |
| Robert Honnies | |
| Barry Grundy | |
| Danny Mares | |
| James Akers | |
| John Beers | |
| Brandi Shailer | |
| Amanda Russell | |
| Amy Jollymore | |
| xix | Ponemon Institute |
| cost of cybercrime in 2013 | |
| average cost of an incident: $1 million | |
| average time to resolve an incident: 32 days | |
| CIO | |
| xx | malware triage |
| evidence | |
| remediation | |
| report writing | |
| future proof | |
| incidents are invevitable | |
| detection | |
| data collection | |
| xxi | Microsoft Windows |
| Apple OS X | |
| 4 | organizations are complacent/reckless in regards to cybercrime |
| cost of doing business | |
| Carl Sagan | |
| CSRC - Computer Security Resource Center | |
| NIST - National Institute of Standards and Technology | |
| NIST Special Publication 800-61 | |
| event definition: “any observable occurrence in a system or network” | |
| incident definition: “violation or threat of violation of computer security policies, acceptable use policies, or standard security practices” | |
| email spam | |
| embezzlement | |
| 5 | Xbox |
| USDOJ | |
| Cornell University | |
| “What is Incident Response” | |
| 6 | case study |
| ACL - Access Control List | |
| Java | |
| malware | |
| sophisticated attacker | |
| hashing | |
| digital certificate | |
| persistence mechanism | |
| 7 | live response |
| storage and the nature of computer systems has changed how incident response is performed | |
| CIA triad | |
| public relations | |
| Hippocrates | |
| 8 | why care about incident response? |
| cryptography | |
| scope | |
| cyber espionage | |
| VPN | |
| 9 | SQL injection |
| DMZ | |
| xp_cmdshell stored procedure | |
| local administrator privileges | |
| backdoor | |
| cracking password hashes | |
| keylogger | |
| domain controller | |
| antivirus evasion | |
| 10 | tunneling |
| RDP | |
| command and control | |
| DLL search order hijacking | |
| DNS C2 traffic | |
| proxy | |
| attacking sysadmins | |
| file share enumeration | |
| “juicy” file shares | |
| credential theft | |
| data exfiltration | |
| FTP | |
| 11 | Zip, RAR, CAB files |
| compression | |
| jump server | |
| Payment Card Industry (PCI) | |
| CVV/CVV2 | |
| black market | |
| credit card fraud | |
| 12 | Domain Administrator (DA) |
| extracting password hashes from memory | |
| Internet | |
| port 88 | |
| mail exchanger | |
| 13 | Sysinternals PsSuite |
| pslist | |
| memory dump | |
| RAR - multipart | |
| PCI Data Security Standard (DSS) | |
| Point of Sale (PoS) | |
| tokenization | |
| end-to-end encryption (E2EE) | |
| 14 | process injection |
| regular expression | |
| track2 data | |
| hashing to prevent data duplication | |
| RC4 | |
| hard-coded key | |
| malware killswitch/mutex | |
| sysadmin noticed strange traffic on port 80 to a foreign country | |
| initial triage | |
| containment | |
| eradication | |
| network traffic analysis | |
| 15 | PE, ELF |
| spear phishing | |
| Adobe Acrobat vulnerabilities | |
| Gh0stRAT | |
| RAT | |
| 16 | 2FA - Two Factor Authentication |
| attacker determined user was an engineer, worked from home, and enumerated installed software | |
| mimikatz | |
| backup access/multi-tiered persistence | |
| Security Event Log - actual hostname and IP of attacker | |
| VPN pool | |
| geolocation | |
| Texas | |
| Outlook Web Access (OWA) | |
| 17 | attacker modified file ACLs |
| local admin password reuse across environment | |
| Windows defrag tool as anti-forensics | |
| Security Information and Event Management (SIEM) | |
| users logging in from multiple IPs/hosts as a detection | |
| IP address as attacker attribution/scoping incident | |
| enterprise-wide password reset | |
| 18 | recursive directory listing |
| 19 | attack lifecycle |
| 20 | initial compromise |
| social engineering | |
| public-facing vulnerabilities | |
| establishing a foothold | |
| shellcode | |
| attackers downloading extra tools | |
| privilege escalation | |
| pass the hash (PtH) | |
| internal reconnaissance | |
| 21 | lateral movement |
| network shares as lateral movement | |
| Task Scheduler lateral movement | |
| PsExec lateral movement | |
| radmin lateral movement | |
| RDP, Dameware, VNC lateral movement | |
| maintaining persistence | |
| webshell | |
| backdooring legitimate applications | |
| 22 | hindsight is 20/20 |
| 24 | preparing for an incident |
| most incident responses are non-technical | |
| core principles of incident response are the same as non-technical investigations | |
| buzzword | |
| marketing hype | |
| what is a security incident | |
| importance of scoping an incident response | |
| organizations need to define what a “computer security incident” means to them | |
| vulnerability scan | |
| act of god | |
| 25 | backup media |
| phone | |
| printer | |
| building access card | |
| 2FA token | |
| tablet | |
| computers are everywhere | |
| extortion | |
| spyware | |
| goals of incident response | |
| damage assessment | |
| 26 | who is involved in the incident response process? |
| CISO | |
| CIO | |
| incident manager | |
| incident commander | |
| 27 | security posture |
| European Union (EU) | |
| PCI, HIPAA, FISMA, NERC | |
| 28 | finding incident response talent |
| cost of maintaining an incident response team | |
| outsourcing | |
| Fortune 50 | |
| 29 | hiring incident response talent |
| Forensic Focus message board | |
| 30 | network traffic analysis |
| artifact | |
| log file analysis | |
| need to write well for reports | |
| sandbox | |
| certifications with periodic re-testing | |
| 31 | the incident response process: initial response, investigation, remediation |
| leads | |
| CFO | |
| banking trojan | |
| incident response will look different based on the circumstances | |
| 32 | “Maybe its best not to act quickly” |
| 33 | “shiny objects” |
| 34 | characteristics of good leads: relevant, detailed, actionable |
| IoC pronunciation: eye-oh-see | |
| OpenIOC | |
| Cybox | |
| Yara | |
| MITRE | |
| 35 | Visual Basic |
| Windows Management Instrumentation (WMI) | |
| Snort | |
| Redline | |
| lack of enterprise-grade or mature solutions for IoC formatting | |
| 36 | systems of interest |
| initial triage: validate, categorize, prioritize | |
| false positive | |
| 37 | evidence preservation |
| imaging | |
| volatile data | |
| live response | |
| memory collection | |
| volume of data may be prohibitive | |
| rootkit | |
| 38 | limits of memory analysis |
| forensic disk imaging | |
| 39 | “CSI effect” |
| 40 | posturing: extra steps taken with remediation to ensure the success of remediation |
| tactical remediation | |
| strategic remediation | |
| tracking investigative data and information | |
| 41 | lists: collected evidence, impacted systems, files of interest, accessed and stolen data, attacker activity, IoCs, ongoing tasks and asks |
| Microsoft Excel spreadsheet | |
| RTIR - bestpractical.com | |
| 42 | reporting |
| 46 | big data |
| identifying risk | |
| policies conducive towards successful incident response | |
| 47 | corporate reputation |
| 48 | Acceptable Use Policy (AUP) |
| security policy | |
| remote access policy | |
| Internet usage policy | |
| privacy | |
| SANS | |
| ISO 27002:2005 | |
| Service Level Agreement (SLA) | |
| 49 | privacy and labor regulations |
| team coordination: timezones, handoffs | |
| user education | |
| awareness training | |
| 50 | FTP |
| 51 | attackers eavesdropping on incident response communication |
| COMSEC | |
| email encryption: S/MIME, PGP | |
| data labeling and classification | |
| 52 | monitor conference call participants |
| case numbers | |
| project codenames | |
| IDS | |
| voicemail | |
| public relations | |
| 53 | deliverables |
| 54 | Carnegie Mellon Software Engineering Institute |
| Perdue University College of Technology | |
| Johns Hopkins University Information Security Institute | |
| incident response team hardware | |
| full disk encryption | |
| self-encrypting drive | |
| TrueCrypt | |
| McAfee Endpoint Protection | |
| 55 | USB thumb drive |
| SATA | |
| laptop | |
| 56 | virtual machines for analysis |
| PATA, SCSI, SAS, eSATA | |
| write blocker | |
| mobile device forensics equipment | |
| UPS | |
| rack mount | |
| Torx bit | |
| spudger | |
| specialized case opening tools | |
| 57 | FreeBSD, Linux |
| SecurityOnion | |
| Easy-IDS | |
| 58 | forensically sound |
| Frye test | |
| case law | |
| Daubert vs. Merell-Dow Pharmaceuticals | |
| Kumho Tire Co et all vs. Carmichael et all | |
| Doubert standard | |
| 59 | Backtrack, CAINE, Helix |
| boot disk: CD, USB, … | |
| live media | |
| operating system | |
| virtual machine snapshots | |
| NIST Computer Forensic Tool Testing | |
| 60 | evidence handling |
| MD5 | |
| internal knowledge repository | |
| search engine | |
| 61 | server, desktop, laptop |
| 62 | DISA STIGs |
| HIPS | |
| asset management | |
| 63 | provision date |
| database | |
| MAC | |
| DHCP | |
| 64 | HP-UX |
| whitelisting/allowlisting, blacklisting/blocklisting | |
| mass password change difficulties | |
| 65 | NTLM |
| LanMan | |
| rainbow table | |
| fgdump | |
| rcracki_mt | |
| registry key | |
| instrumentation | |
| event, error, and access logs | |
| where are the logs? what’s in the logs? | |
| logging and timezones | |
| Splunk | |
| ELSA | |
| Snare - InterSect Alliance | |
| NTSyslog | |
| ArcSight | |
| RSA enVision | |
| 66 | log retention |
| logon and logoff events | |
| size of log files | |
| forwarding logs to a centralized log collector | |
| DNS query logging | |
| DHCP lease assignment logs | |
| antivirus, IDS, and firewall logs | |
| custom application logs | |
| 67 | quarantine |
| sending malicious or unknown samples to a security vendor | |
| be wary of submitting samples to antivirus sites | |
| Access Data Enterprise | |
| Guidance Software enCase Enterprise | |
| Mandiant Intelligent Response | |
| rolling your own tools | |
| 68 | patching |
| remove local administrator permissions from users | |
| ensure security software is deployed and functioning as intended | |
| decommission EOL devices and systems | |
| NSA IA mitigation guidence | |
| network segmentation | |
| network documentation | |
| 69 | ERP - Enterprise Resource Planning |
| NAC - Network Access Control | |
| 71 | Microsoft RPC |
| VLAN | |
| LDAP | |
| Active Directory | |
| IMAPS, HTTPS | |
| network switch | |
| 72 | JSON |
| database replication | |
| 73 | defense in depth |
| sensor | |
| fault tree analysis | |
| limiting workstation communication | |
| edge, switching devices | |
| 74 | border router |
| proxy-aware malware | |
| default route | |
| honeypot | |
| routing blackhole | |
| penetration test | |
| incident response tabletop | |
| MPLS | |
| 75 | router |
| network configuration change control and revision control | |
| full content capture | |
| SPAN | |
| network tap | |
| static route | |
| 76 | NetFlow emitter |
| FBI | |
| DNS blackhole | |
| zone file | |
| 77 | packet capture |
| BIND | |
| 82 | Alexander Pope |
| Hurricane Sandy | |
| NYSE | |
| detection | |
| Ferris Bueller’s Day Off | |
| 84 | local time |
| UTC | |
| difficulties with time zones and incident response | |
| using UTC is the best | |
| incident response checklists | |
| checklist | |
| 84 | RTIR - Request Tracker for Incident Response |
| Microsoft Active Directory Forest | |
| Incident Summary Checklist: | |
| - time and date of report | |
| - time and date of detection | |
| - contact info of reporter | |
| - contact info of responder | |
| - contact info of person who detected the incident | |
| 85 | - nature of incident |
| - how it was detected | |
| - identifiers and locations of affected systems | |
| - who accessed systems after detection | |
| - who is aware of the incident? | |
| - is the incident ongoing? | |
| - who needs to know? | |
| often, checklists “solve” an incident by simply filling it out and being thorough | |
| skepticism | |
| 89 | case notes |
| 90 | timelines, attack timelines, incident timelines |
| 91 | proof, legal context |
| elements of proof | |
| 92 | setting expectations |
| 93 | warez |
| win.ini | |
| /etc/hosts | |
| 96 | artifact |
| leads of value, definition | |
| 97 | NAT |
| brittle lead | |
| MD5 | |
| 98 | mutex |
| registry key | |
| exes in \Windows\Help\ | |
| 99 | XML |
| 100 | “Practical Malware Analysis” |
| host-based indicator | |
| 102 | packer |
| manual function import | |
| loose attribution | |
| 103 | sethc.exe replacement attack (Sticky Keys) |
| 104 | pseudo code |
| 105 | Image File Execution Options (IFEO) |
| 106 | network-based indicator |
| 107 | DNS cache |
| RFC 1035 | |
| 108 | QNAME |
| Snort | |
| case-insensitive | |
| 109 | tcpdump |
| Windows XP | |
| Wireshark | |
| NAT | |
| URL | |
| 111 | dropper |
| Microsoft Word | |
| staged malware | |
| 112 | MRU registry key |
| “Data Common to Environment” | |
| 113 | Perl |
| resolving internal and external leads | |
| 114 | subpoena |
| legal discovery | |
| reporting incidents to law enforcement | |
| State Department | |
| 115 | Infraguard |
| FS-ISAC | |
| DIB-CS/IA | |
| 118 | triage imaging |
| phishing | |
| 119 | trust but verify |
| SQL | |
| WWWWWH | |
| 120 | gathering preliminary evidence |
| registry keys, files, etc related to malware | |
| network artifact | |
| independent evidence sources | |
| Windows Prefetch | |
| 121 | determining course of action |
| 123 | advanced query monitoring - databases |
| insider threat | |
| packet capture | |
| 124 | SQL query |
| spam | |
| 125 | DHCP |
| DHCP logs, DNS query logs | |
| 126 | misconceptions of insider threats |
| 127 | corporate spyware |
| 128 | witch hunt |
| Automated Clearing House (ACH) | |
| fraud | |
| CEO, CFO | |
| online banking | |
| MAC address | |
| conference room | |
| wireless network | |
| unauthorized banking transfer | |
| 129 | Zeus banking malware |
| recently installed executables | |
| 136 | live data collection |
| live response (LR) | |
| full drive duplication | |
| RFC 3227 - Guidelines for Evidence Collection and Archiving | |
| when to perform live response | |
| 137 | live response pitfalls |
| USB drive | |
| DOS batch script | |
| Microsoft DOS | |
| 138 | bash script |
| BSD | |
| selecting live response tools | |
| 139 | CSV, TSV, XML |
| 140 | marketing propaganda |
| what should a live response tool collect? | |
| 141 | collection best practices |
| 143 | access control |
| air gapping | |
| root user | |
| sudo | |
| Windows Vista | |
| Windows 7 | |
| UAC | |
| Run As Administrator | |
| CD-ROM, DVD | |
| SMB, CIFS, NFS | |
| 144 | cryptcat |
| Apple OS X | |
| automation decreases human error | |
| automation can be worse than human error | |
| being keylogged while carrying out incident response | |
| 145 | Mandiant Redline |
| Windows Server 2003 | |
| Windows Server 2008 | |
| live collection can be expensive in both costs and resources | |
| 146 | MSI |
| Redline Collector | |
| 148 | 32 and 64 bit versions of tools |
| 149 | systeminfo |
| net user | |
| net group | |
| ipconfig /all | |
| route print | |
| arp -a | |
| ipconfig /displaydns | |
| netstat -aln | |
| Diamond CS openports | |
| autoruns | |
| pslist | |
| logparser | |
| Nirsoft DriverView | |
| Nirsoft OpenedFilesView | |
| PC-Tools md5sums | |
| hashutils | |
| 150 | MS-DOS |
| VBScript | |
| Perl | |
| Python | |
| interpreted language | |
| checksum | |
| memory collection | |
| 151 | full memory dump |
| AccessData FTK Imager Lite | |
| Mantech MDD | |
| Mandiant Memoryze | |
| Moonsols Windows Memory Toolkit | |
| msiexec | |
| incident response OPSEC | |
| MemoryDD.bat | |
| 154 | Microsoft userdump |
| Microsoft procdump | |
| Ntsecurity.nu pmdump | |
| ProcessDD.bat | |
| 155 | LINRes |
| Network Intelligence India | |
| overhead of maintaining Unix live response toolkits | |
| 156 | The Apple Examiner |
| date command | |
| dpkg –get-selections | |
| Debian | |
| RPM | |
| rpm -qa | |
| BSD pkg_info | |
| OSX: /Library/Receipts/InstallHistory.plist | |
| mount command | |
| df | |
| fdisk -l | |
| cat /etc/issue | |
| uname -a | |
| w command | |
| cron | |
| /var/spool/cron | |
| init system | |
| uptime | |
| kernel version | |
| installed software | |
| 157 | services |
| /etc/passwd, /etc/shadow | |
| /etc/group | |
| ifconfig -a | |
| netstat -rn | |
| arp -a | |
| lsmod | |
| kldstat | |
| kexstat | |
| lsof | |
| ps auxwwwem | |
| /etc | |
| /var/log | |
| /var/adm | |
| /Private/var/log | |
| .bash_history | |
| shell history | |
| find command | |
| md5 command | |
| md5sum command | |
| 158 | IRIX |
| Solaris | |
| dd | |
| ddfldd | |
| /dev/mem | |
| LKM | |
| LiME - Linux Memory Extractor | |
| Ubuntu, CentOS, Debian, openSUSE | |
| 159 | tarball |
| Linux kernel headers | |
| insmod | |
| netcat file transfer | |
| 160 | FreeBSD, NetBSD, OpenBSD |
| dc3dd | |
| BSD ports | |
| pkg_add | |
| sysctl | |
| EOF | |
| hw.physmem64 | |
| 161 | 4kb chunks for performance |
| NFS share | |
| Memoryze for Mac | |
| Mac Memory Reader | |
| ATC-NY | |
| 162 | /proc/PID/mem |
| gcore | |
| core dump | |
| gdb | |
| 166 | forensic duplication |
| simple duplication | |
| 167 | SSD |
| hard drive sector | |
| Host Protected Area | |
| Drive Configuration Overlay (DCO) | |
| SSD load leveling | |
| SSD error detection | |
| NIST - Computer Forensics Tools Verification | |
| CFTT | |
| forensic image formats | |
| 168 | complete disk image |
| OEM | |
| Dell | |
| HP | |
| RAID | |
| partition | |
| 169 | SEC filing |
| MacBook Pro | |
| attacker downgrading OS and software as anti-forensics | |
| 170 | partition image |
| slack space | |
| unallocated space | |
| logical image | |
| NAS | |
| SAN | |
| 171 | FTK Imager |
| enCase | |
| VMX, VMDK, VMSS files | |
| image integrity | |
| bad sector | |
| hard drive firmware | |
| AFF format - Advanced Forensic Framework | |
| Expert Witness Format (EWF) | |
| ASR Data SMART | |
| MD5, SHA1 | |
| 172 | E01 files - enCase |
| Andrew Rosen | |
| 173 | traditional duplication; computer powered off |
| hardware write blocker | |
| ASIC | |
| 174 | SATA, PATA, FireWire, eSATA |
| WibeTech Forensic UltraDock | |
| 175 | mounting read only may still alter data on the drive |
| replaying journals | |
| repairing inconsistencies | |
| 176 | DCFL |
| DC3 - Defense Cyber Crime Center | |
| Backtrack | |
| Ultimate Boot CD | |
| POSIX | |
| /mnt | |
| 177 | auto mount |
| diskarbitrationd | |
| 178 | live system duplication |
| risks of live duplication | |
| mSATA | |
| 180 | MacBook Air |
| ZIF ribbon connector | |
| PowerBook | |
| Target Disk Mode | |
| ThunderBolt | |
| Tableau LLC | |
| 181 | duplicating virtual machines |
| memory snapshots of virtual machines | |
| 184 | SPAN |
| network monitoring | |
| egress point monitoring | |
| tactical sensor | |
| 185 | Sourcefire |
| Snort | |
| RSA NetWitness | |
| NIDS | |
| event-based alert | |
| Suricata | |
| 186 | too many rules may bog down NIDS systems |
| Snort output plugins | |
| alert_fast | |
| ASCII | |
| Mandiant APT1 report | |
| fake SSL certificate | |
| 187 | header logging, full packet logging |
| raw packets | |
| tcpdump | |
| 199 | W Richard Stevens TCP/IP Illustrated |
| Ethernet frame | |
| IPv4 header | |
| TCP header | |
| statistical modeling | |
| NetFlow | |
| Fluke | |
| HP | |
| SolarWinds | |
| IBM | |
| argus | |
| flow-tools | |
| 189 | ragraph Argus command |
| 191 | laptops or 1U servers as network monitoring hardware |
| 192 | appropriate hardware for network monitoring |
| Solera Networks | |
| 193 | NTOP |
| PF_RING | |
| AF_PACKET | |
| “Comparing and Improving Current Packet Capturing Solutions Based on Commodity Hardware” 2010 | |
| “Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware” 2007 | |
| DeepSea appliance | |
| SecurityOnion | |
| 194 | Xubuntu |
| ISO image | |
| 195 | choke point |
| VLAN trunking | |
| VLAN tag | |
| IPSec | |
| MPLS | |
| Tripwire | |
| 196 | evaluating network sensors |
| C, Lua | |
| Wireshark decoder | |
| 198 | Wireshark statistics |
| ftp-data port 20 | |
| 199 | Wireshark “Follow Stream” |
| extracting files from FTP packet captures with Wireshark | |
| 204 | fgdump password dump tool |
| 205 | MySQL |
| Apache | |
| SQL injection | |
| SSL decryption with Wireshark | |
| 208 | sqlmap User-Agent |
| 209 | net view |
| tasklist /v | |
| tree command | |
| 210 | attacker adding a user |
| attacker adding user to Administrators group | |
| 211 | nmap |
| NetWitness Investigator | |
| 213 | collecting logs from network events |
| chain of custody | |
| 216 | DHCP RFC 2131 |
| 217 | Microsoft DHCP |
| Microsoft Technet | |
| 218 | %WINDIR%\System32\Dhcp\ |
| Server 2012 | |
| 219 | Server 2003 R2 |
| DHCP enabled by default | |
| DhcpSrvLog<day>.log | |
| ISC DHCP | |
| syslog, syslog-ng, rsyslog | |
| DHCPDISCOVER | |
| DHCPOFFER | |
| /etc/syslog.conf, /etc/rsyslog.conf, /etc/syslogng.conf | |
| 220 | DNS: RFC 1034, RFC 1035 |
| parked hostnames | |
| 221 | localhost 127.0.0.1 |
| ISC Berkeley Internet Name Domain (BIND) | |
| named.conf.local | |
| query logging with BIND | |
| IPv6 AAAA | |
| 222 | ANSWER section |
| Microsoft DNS | |
| Debug Logging - query logging | |
| 223 | %SYSTEMROOT%\System32\Dns\dns.txt |
| truncated on reset or overflow | |
| 224 | DNSCAP |
| LANDesk | |
| Symantec Altiris Client Management Suite | |
| Software License Monitoring (SLM) | |
| 226 | LANDesk registry keys |
| SOFTWARE hive | |
| REG_BINARY | |
| REG_SZ | |
| REG_DWORD | |
| Python script for converting LANDesk timestamps | |
| 227 | SLM Browser |
| RegRipper - landesk.pl | |
| Justin Prosco | |
| Willi Ballenthin - Python registry library | |
| Windows Recycle Bin | |
| 228 | Application Metering |
| search for suspicious executions of net.exe. net1.exe, cmd.exe, at.exe, … | |
| TSU | |
| AeXAMInventory.txt | |
| 230 | antivirus quarantine |
| Symantec Endpoint Protection (SEP) | |
| logfile location | |
| 233 | SEP quarantine location |
| VBN extension | |
| QExtract | |
| pyqextract.py - Jamaal Speights | |
| XOR: 0x5a, 0xa5 | |
| McAfee Virus Scan Enterprise | |
| 234 | log locations |
| McAfee ePolicy Orchestrator (ePO) | |
| 235 | McAfee Virusscan quarantine location |
| BUP extension | |
| OLE file format | |
| OLECF | |
| 7-Zip | |
| hex editor | |
| McAfee FileInsight | |
| 236 | Trend Micro Office Scan |
| log file: pccnt35.log | |
| 238 | VSEncode.exe |
| hacktivist | |
| IIS | |
| 239 | HTTP RFC 2616 |
| virtual host | |
| 240 | Apache |
| 241 | Apache config and log locations |
| access.log | |
| CustomLog, ErrorLog directives | |
| content locations: DocumentRoot | |
| X-Forwarded-For | |
| Apache Common Log Format | |
| NSCA extended/combined log | |
| 242 | Microsoft IIS |
| config location | |
| Windows NT 3.51 SP3 | |
| IIS Express | |
| 243 | IIS log locations |
| W3C Extended Log File Format | |
| UTF-8 Unicode | |
| IIS7 | |
| 244 | database server |
| 245 | MS-SQL, MySQL, Oracle |
| “SQL Server Forensic Analysis” Kewie Fowler | |
| databases are fragile and brittle | |
| 246 | MSSQL Server Management Studio (SSMS) |
| MSSQL log locations | |
| 247 | .mdf, .ldf file formats |
| MySQL config locations, log locations | |
| my.cnf, my.conf | |
| query logging has unreasonable overhead | |
| 248 | MyISAM |
| InnoDB | |
| Oracle SQL server configuration, log locations | |
| 254 | Neil deGrasse Tyson |
| scientific method | |
| 255 | fallacy of proving negatives |
| 256 | .pst file |
| technology changes fast, but fundamentals change slowly | |
| 257 | PDA |
| location of data | |
| virtual desktop | |
| 258 | backups |
| Carbonite, Mozy, Dropbox. Google Drive | |
| NTFS, HFS+ | |
| plist file | |
| NTFS stream | |
| VFS inode | |
| HFS resource fork | |
| File Allocation Table FAT16 FAT32 | |
| “File System Forensic Analysis” - Brian Carrier | |
| 259 | data handling policy |
| 260 | Credent full disk encryption |
| FDE - Full Disk Encryption | |
| 261 | FUSE |
| uu encoding | |
| 265 | NSRL |
| 268 | string/keyword searching |
| foremost | |
| file carving | |
| 269 | sanity check |
| 273 | dead disk forensics |
| MFT - Master File Table | |
| 274 | Windows Explorer |
| $MFT | |
| 512 byte sectors | |
| MFT entry | |
| %LogFile | |
| Active/Inactive flag (NTFS) | |
| $STANDARD_INFORMATION | |
| $FILENAME | |
| $DATA | |
| advanced format (AF) | |
| FILE_RECORD_SEGMENT_HEADER | |
| 275 | identifying deleted files |
| 276 | MACE timestamps |
| $SIA, $SI | |
| STANDARD_INFORMATION | |
| FNA, $FN, FILE_NAME | |
| 277 | Sleuth Kit |
| Entry Modified timestamp | |
| filename created | |
| MS-DOS 8.3 filename | |
| time stomping | |
| anti-forensics, counter-forensics | |
| SetMACE | |
| 278 | $FN MACE is difficult to do without direct MFT access |
| raw disk access | |
| double time stomping | |
| Windows Vista | |
| 279 | files copied from media may preserve timestamps |
| SANS DFIR posters | |
| contiguous data | |
| fragmented data | |
| resident data | |
| 280 | MFT entry: 1024 bytes |
| ADS - Alternate Data Streams | |
| dir /r | |
| type command and ADS | |
| 281 | Poison Ivy backdoor |
| SysInternals streams | |
| LADS - Frank Heyne | |
| 282 | X-Ways Forensics |
| Zone.Identifier | |
| MSDN - “Known Alternate Stream Names” | |
| mft2csv | |
| analyzeMFT | |
| Plaso | |
| log2timeline | |
| INDX attributes | |
| 283 | B+ tree |
| $130 | |
| INDEX_ROOT | |
| INDEX_ALLOCATION | |
| INDX - 4096 byte chunks | |
| physical size vs logical size | |
| %TEMP% | |
| working directory | |
| 284 | “Striking Gold Incident Response NTFS INDX Buffers” - Mandiant |
| INDXParse | |
| 285 | NTFS Change Logs |
| journaled file system | |
| $Logfile | |
| $UsnJrnl | |
| $LogFile - typically 64Mb | |
| USN - Update Sequence Number | |
| \$Extend\$UsnJrnl | |
| Index/Search Service | |
| File Replication Service | |
| 286 | fsutil |
| LogFileParser | |
| TZWorks Journal Parser | |
| parser-usnjrnl | |
| Volume Shadow Copies - VSC | |
| NT Backup Service | |
| System Restore Point | |
| 287 | default VSC snapshot size: 5% of volume size on Windows 7, 16% on Vista+ |
| system restore scheduled tasks | |
| registry hive | |
| vssadmin list shadows /for=VolumeLetter | |
| mklink /D target_dir shadow_copy_volume | |
| libvshadow | |
| Shadow Explorer | |
| VSCToolkit | |
| 288 | WoW64 |
| File System Redirector | |
| %SYSTEMROOT%\System32\ | |
| %SYSTEMROOT%\SysWOW64\ | |
| Microsoft Developer Network | |
| 289 | Program Files |
| Prefetch | |
| Windows Cache Manager | |
| %SYSTEMROOT%\Prefetch\ | |
| .pf extension | |
| Layout.ini | |
| 290 | C:\Windows\Prefetch\ |
| SyperFetch | |
| AgAppLaunch database | |
| https://blog.rewolf.pl/blog/?p=214 | |
| 291 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PreFetchParameters |
| enabling Prefetcher | |
| hashing AppList | |
| dllhost.exe | |
| mmc.exe | |
| rundll32.exe | |
| Hexacorn - Prefetch Hash Calculator | |
| 292 | NTOSBOOT Prefetch file |
| “10 second rule” | |
| NirSoft WinPrefetchView | |
| bulk acquisition of Prefetch in investigations | |
| 293 | Last Run Time |
| Last Modified Time | |
| Forensics Wiki | |
| TZWorks Prefetch Parser | |
| RedWolf Forensics Prefetch Parser | |
| 294 | Event Logs |
| Application, System, Security | |
| XP/2003: %SYSTEMROOT%\System32\Config | |
| .evt, .evtx extensions | |
| 295 | Vista+: %SYSTEMROOT%\System32\WinevtLogs |
| AppLocker, UAC, Terminal Services logs | |
| EIDS | |
| https://www.myeventlog.com | |
| https://www.eventid.net | |
| 296 | Logon events |
| Logon Types: 2: interactive, 3: network, 4: batch, 6: service, 6: proxy, 7: unlock, 8: network cleartext, 9: new credentials, 10: remote interactive, 11: cache interactive | |
| 298 | LogonProcess: NtlmSsp, Kerberos, User32, Advapi |
| Authentication Package: NTLM, Negotiate, Kerberos | |
| Workstation Name | |
| Source Network Address | |
| VNC | |
| lateral movement | |
| 299 | Event ID 4688 |
| 301 | Process Tracking, Detailed Tracking, Process Auditing |
| GPO | |
| 302 | Volume of 4688 events |
| Maximum Security Event Log setting | |
| SCM - Service Control Manager | |
| PsExec | |
| Event IDs 7035, 7036 | |
| Windows Credential Editor | |
| hash replay | |
| antivirus alerts in Event Logs | |
| Event Viewer | |
| FixEVT | |
| 304 | PsLogList |
| Log Parser - SQL queries on Event Logs | |
| Event Log Explorer | |
| LfLe | |
| python-evtx | |
| Plaso | |
| 305 | Event Logs are UTC, Event Viewer is local time |
| Scheduled Tasks | |
| Task Scheduler | |
| at.exe | |
| schtasks.exe | |
| Management Console snap-in | |
| attackers use scheduled task to avoild using helpers such as psexec | |
| at.exe usage | |
| 306 | at.exe on remote systems |
| at.exe runs tasks as SYSTEM | |
| at.exe privesc | |
| deleting at jobs | |
| 307 | schtasks.exe usage |
| .job files | |
| %SYSTEMROOT%\Tasks\ | |
| Vista+ dont delete .job files on success, but are cleared when Task Scheduler restarts or the system reboots | |
| Task Scheduler log locations: 2000,2003,XP: %SYSTEMROOT%\SchLgU.txt, Vista+: %SYSTEMROOT%\Tasks\SchedLgU.txt | |
| Task Scheduler Event Logs: Microsoft-Windows-TaskScheduler%4Operational | |
| wevtutil - enable Task Scheduler logs | |
| 308 | analyzing .job files |
| jobparser.py - Jamie Levy | |
| 310 | timestamps of .job files - last execution |
| Registry Key timestamps | |
| 311 | cscript.exe |
| cmd.exe to execute files obfuscation | |
| 312 | Event IDs: 10, 140, 319, 100, 200, 129, 201, 202 |
| 313 | Windows Registry |
| registry key, value, hive | |
| 314 | registry live locations: SYSTEM, SECURITY, SOFTWARE_SAM, DEFAULT, NTUSER.DAT, USRCLASS.DAT |
| 315 | Cygwin |
| regedit.exe | |
| reg.exe | |
| 316 | registry hive mappings: HKLM, HKU, HKCU, HKCC, HKEY_CLASSES_ROOT |
| SID - Security Identifier | |
| CurrentControlSet | |
| 317 | registry timestamps |
| registry subkey | |
| no created or accessed timestamps! | |
| keys only! not values | |
| Last Write Time | |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Run | |
| runkeys as persistence | |
| caveats of LastWriteTime | |
| 318 | SetRegTime - Joakim Schicht |
| Registry Reflection | |
| Registry Redirection | |
| Wow6432Node | |
| “Registry Keys Affected by View64” - MSDN | |
| 319 | “Registry Reflection” - MSDN |
| System Configuration registry keys | |
| ShimCache | |
| common autorun registry keys | |
| user hive registry keys | |
| Control Panel | |
| 320 | table of registry entries |
| 322 | “How to Determine Audit Policies From the Registry” |
| “Well-Known SIDs” | |
| ShimCache/Application Compatibility Cache | |
| registry location of ShimCache: XP, Vista+ | |
| advantages of ShimCache over Prefetch | |
| 323 | “Leveraging the Application Compatibility Cache in Forensics Investigations” |
| Andrew Davis | |
| ShimCacheParser.py | |
| Mandiant ShimCache whitepaper | |
| 324 | there are hundreds of autorun keys |
| autostart extensitility points | |
| persistence mechanism keys | |
| Windows Services | |
| Local System, Network Service, Local Service | |
| 325 | HLKM\CurrentControlSet\Service\<Servicename> |
| * Microsoft Service Key value documentation * | |
| 326 | svchost.exe |
| ServiceMain | |
| ServiceDLL | |
| ImagePath | |
| 327 | sc query |
| sq queryex | |
| sc start, stop, create | |
| * sc.exe documentation * | |
| Service Management snapin services.msc | |
| 328 | sc/Service Manager do not allow editing of ServiceDLL; use regedit.exe |
| tasklist /svc | |
| Volatility Framework | |
| Run, RunOnce keys | |
| * common locations * | |
| 329 | Active Setup |
| Windows 98 | |
| * registry key locations * | |
| malware re-using GUIDs with Active Setup | |
| Googling GUIDs | |
| StubPath - Active Setup | |
| PoisonIvy using Active Setup persistence | |
| 331 | AppInit_DLLs |
| user32.dll | |
| * registry locations * | |
| Windows 7+ requires signed AppInit_DLLs | |
| LSA Packages | |
| Local Security Authority (LSA) | |
| * registry locations * | |
| malware doesnt need to implenent LSA functionality | |
| msv1_0 - NTLM local and domain | |
| Kerberos | |
| wdigest - digest authentication | |
| tspkg - Terminal Services SSO | |
| notification packages - when passwords are set or changed | |
| FPNWCLNT - File and Print Services for NetWare | |
| RASSFM - Remote Access Subauthentication | |
| KDCSVC - Kerberos Key Distribution Center Service | |
| scecli - Security Configuration Engine Client | |
| * Microsoft Documentation * | |
| 332 | LSA as persistence |
| Browser Helper Object (BHO) | |
| Internet Explorer | |
| adware, scamware | |
| COM - Component Object Model | |
| CLSID - Class ID * registry location * | |
| search Google for CLSIDs | |
| IE7+ - Manage Add-Ons | |
| Shell Extensions - “BHOs for Explorer” | |
| 333 | blacklisting CLSIDs |
| “Registering Shell Extension Handlers” | |
| WinloginGINA | |
| GinaDLL * registry location * | |
| GINA DLL MiTM | |
| WinLogin Notification * registry location * | |
| winlogin.exe | |
| screen saver | |
| screen lock | |
| WinLoginNotify eliminated in Vista+ | |
| 334 | Winlogin Shell * registry location * |
| Winlogin Userinit * registry location * | |
| WinLogin persistence | |
| key-value pairs | |
| Identifying Malicious AutoRuns: typos, weird paths, problems with this approach | |
| 335 | hijacking legitimate services |
| look for unsigned DLLs/exes | |
| look for timestamps within incident timeline | |
| 336 | Bit9 File Advisor - known good |
| malware signing binaries | |
| stolen code signing certificates | |
| 338 | Shellbags * registry location * |
| 339 | shellbags.py |
| 340 | Dan Bullega Shellbags blog |
| “Usint Shellbags information to reconstruct user activities” - Zhu, Gladyshev, James | |
| “Computer Forensic Artifacts Windows 7 Shellbags” | |
| Chad Tillbury | |
| SANS Shellbags blog | |
| TZworks sbag | |
| UserAssist * registry location * | |
| LNK file | |
| Start Menu | |
| Run menu | |
| 341 | ROT13 - UserAssist |
| Nirsoft UserAssistView | |
| Didier Stevens - UserAssist | |
| MUI Cache | |
| 342 | MUICache * registry location * |
| NirSoft MUICacheView | |
| 343 | MRU - Most Recently Used keys * registry location * |
| Explorer Open and Save MRU | |
| ComDlg32 | |
| OpenSavePid1MRU | |
| OpenSaveMRU | |
| LastVisitedPid1MRU | |
| 344 | CIDSizeMRU |
| Harlan Carvey - RegRipper | |
| Start Menu Run MRU * registry location * | |
| RecentDocs * registry location * | |
| LNK files for recents | |
| 345 | Internet Explorer TypedURLs/TypedPaths * registry locations * |
| links, bookmarks | |
| doesn’t track clicks of links or bookmarks | |
| The Digital Forensics Stream Blog | |
| UNC path | |
| 346 | Remote Desktop MRU * registry location * |
| Terminal Services / Server Client | |
| 347 | Windows Registry Decoder |
| AutoRuns | |
| autorunsc | |
| 348 | UserAssist - Didier Stevens |
| 349 | NirSoft registry tools * link * |
| 350 | Recent Documents |
| LNK file analysis | |
| 351 | TZWorks lp |
| Simple File Parser - Google | |
| Jump Lists - added in Windows 7 | |
| taskbar | |
| Microsoft Outlook | |
| JumpLister - WoanWare | |
| JumpList file paths | |
| 353 | analyzing Recycle Bin artifacts |
| Vista+ changed Recycle Bin format | |
| $I, $R files | |
| INFO2 files | |
| 356 | Recycle Bin should never contain normal files beyond desktop.ini |
| rifiutil2 | |
| memory forensics | |
| 357 | page file |
| physical memory | |
| FIrewire IEEE 1394 - direct memory access | |
| 358 | page file locations |
| 359 | crash dump |
| kernel memory dump | |
| 360 | minidump * filesystem locations * |
| complete memory dump * filesystem locations * | |
| memory.dmp | |
| WIndows Error Reporting * registry * | |
| Moonsols Windows Memory Toolkit | |
| WinDbg | |
| Hibernation Files * filesystem locations * | |
| hiberfil.sys | |
| Volatility image copy plugin | |
| 361 | memory analysis |
| EPROCESS blocks - Executive Process | |
| SID to username mapping blog * | |
| 362 | Handles |
| SysInternals handle, Process Explorer | |
| Zeus malware | |
| 363 | mutex/mutant |
| Zeus usage of mutants | |
| PoisonIvy usage of mutants | |
| 364 | Virtual Access Descriptor (VAD) trees |
| Dolan Gavitt VAD blog * | |
| Windows Process Loader | |
| 366 | crss.exe - Client Server System Runtime |
| strings in memory | |
| LSASS dump from memory - mimikatz | |
| Pagefile.sys analysis | |
| 367 | * pagefile registry settings * |
| process injection | |
| CreateRemoteThread/LoadLibrary | |
| 368 | hooking |
| SetWindowsHookEx keylogger | |
| GetAsyncKeystroke keylogger | |
| 369 | IAT hooking |
| IDT hooking | |
| SSDT hooking | |
| System Service Dispatch Table | |
| Kernel Patch Protection (KPP) | |
| PatchGuard | |
| Volatility apihooks plugin | |
| HttpSendRequestA | |
| wininet.dll | |
| 370 | DumpIt |
| 371 | Scheduled Tasks persistence |
| Conficker - unnamed scheduled tasks | |
| .job files | |
| system binary modification | |
| 373 | Windows File Protection (WFP) |
| Windows Resource Protection (WRP) | |
| Sticky Keys | |
| IFEO - Image File Execution Options | |
| sethc.exe | |
| Accessibility Features | |
| DLL load order hijacking / search order hijacking | |
| ntshrui.dll persistence | |
| DLL proxying/passthrough | |
| 376 | * sources of evidence * |
| 382 | macOS / Mac OS X |
| Spotlight | |
| HFS+ | |
| 383 | HFS+ Volume layout |
| HFS+ Boot Blocks | |
| Finder | |
| System folder | |
| HFS+ Volume Header, Alternative Volume Header | |
| 384 | iBored |
| 385 | Volume Header Structure * |
| 386 | GMT time |
| 387 | Allocation file, Extents Overflow file, Catalog file, Attributes file, … Startup file |
| named for | |
| B-tree | |
| CNID - Catalog Node ID | |
| plist format | |
| 388 | Safari |
| xattr -lr * | |
| “MDItem reference” | |
| com.apple.metadata | |
| 389 | Spotlight |
| Application Bundles | |
| mdfind | |
| Mac OS X Lion | |
| Managed Storage | |
| 390 | sqlite3 |
| SQLite Manager | |
| 392 | /Applications, /Developer, /Library, /System |
| 393 | /Network, /Users |
| MacPorts | |
| BSD ports | |
| “File System Programming Guide” | |
| 394 | /Applications |
| Application Bundles | |
| .app | |
| .framework | |
| .plugin | |
| .kext | |
| Finder - Show Package COntents | |
| VMWare Fusion | |
| Console | |
| Help Bundle | |
| XCode | |
| 397 | plutil |
| /System domain | |
| /User domain | |
| 398 | NeXTStep |
| Sun NIS+ | |
| NetInfo | |
| LDAP | |
| User and Service Config | |
| /private/var/db/dslocal | |
| Directory Services | |
| 400 | share points |
| AFP, SMB, FTP | |
| 401 | Trash and Deleted Files |
| .Trashes, ~.Trash, private/var/root.Trash | |
| /Volumes | |
| 402 | OpenBSM |
| Audit Explorer | |
| App Store | |
| /etc/security | |
| 403 | vim/vi execution “trick” |
| 404 | airportd |
| aosnotifyd | |
| pboard | |
| sharingd | |
| spindump_agent | |
| Spindump | |
| 405 | /usr/share/sandbox |
| system and application log locations * | |
| 406 | Highlighter |
| Apple System Log (ASC) | |
| syslog facilities | |
| 407 | ASL log: /private/var/log/asl |
| .asl files | |
| viewing .asl files w/ syslog command | |
| 408 | LogStash |
| sawmill | |
| Splunk | |
| carving logs with grep, sed, awk, … | |
| praudit -a | |
| 413 | cron, launchd, rc, … |
| Launch Agents, Launch Daemons | |
| 414 | Bonjour |
| zero configuration networking | |
| iChat | |
| 415 | application installers |
| bill of materials: BOM | |
| AutoDesk AutoCAD | |
| 416 | * sources of investigative material * |
| 422 | Application Data in DFIR |
| 423 | Program Files directory |
| Documents and Settings | |
| ProgramData / AppData | |
| Uninstall registry keys * | |
| HKLM\SOFTWARE, HKLM\SOFTWARE\Wow6432Node | |
| 424 | Filesystem Hierarchy Standard (FHS) |
| 425 | rpm -qa –queryformat |
| dpkg –get-selections | |
| yum, rpm, dpkg, apt | |
| Knoppix | |
| dpkg.log | |
| VirtualBox | |
| 426 | how to investigate an application |
| 428 | PuTTY |
| PuTTY registry location * | |
| RegShot | |
| 429 | investigating web browsers |
| 430 | Internet Evidence Finder |
| NirSoft BrowsingHistoryViewer | |
| 431 | Spyglass |
| Internet Explorer registry * | |
| 432 | Internet Explorer filesystem * |
| Extensible Storage Engine (ESE) database | |
| Index.dat - libmsiecf | |
| ESE detail - libesedb | |
| 433 | Index.dat locations * |
| 434 | Windows Search Index, LDAP, Exchange use ESE databases |
| 435 | IE History |
| WebCache db | |
| IE Cache | |
| 436 | IE Cookies |
| NirSoft IE tools * | |
| 437 | esenutil /p <file> - repair ESE db |
| Google Chrome paths * | |
| 438 | Chrome History SQL query |
| Chrome Cache | |
| 439 | Chrome Cookies, Downloads, Autofill |
| WebKit | |
| 441 | Chrome forensics tools * |
| Mozilla Firefox | |
| 442 | Mozilla file locations * |
| 443 | History, moz_places |
| Downloads, moz_downloads | |
| 445 | Firefox forensics tools* |
| email clients | |
| MIME | |
| email headers | |
| spear phishing | |
| 446 | email forensic tools * |
| webmail: OWA, Gmail, Hotmail, … | |
| 447 | webmail forensics links * |
| 448 | Outlook file locations * |
| 449 | Office friendly/short versions * |
| Outlook profile registry locations * | |
| PST, OST | |
| libpff | |
| 450 | pffinfo.exe |
| 452 | Apple Mail |
| 453 | Apple Mail filesystem * |
| Outlook for Mac | |
| 454 | Aid4Mail |
| Emailchemy | |
| Instant Messaging | |
| 453 | SOAP |
| 456 | Skype paths * |
| 459 | Skype forensics tools * |
| Facebook chat | |
| 461 | AIM - AOL Instant Messenger |
| 466 | malware triage |
| dangers of malware triage | |
| setting up virtual machines for malware analysis | |
| 470 | dangers of interacting with attacker infrastructure |
| 471 | hacking back |
| CFAA | |
| 473 | static analysis |
| 474 | md5deep |
| DigestIt2004 | |
| WinMD5 | |
| looking up hash info * | |
| 475 | looking up file info * |
| file headers / magic | |
| 476 | file command |
| 010 Editor | |
| 479 | strings |
| 480 | MAP - Malcode Analyst Pack |
| 482 | malware: hard-coding, obfuscation, encoding, … |
| 483 | PeID |
| 485 | PeView |
| CFF Explorer | |
| .NET | |
| 486 | dependency walker |
| packed files | |
| 487 | OllyDbg, plugins |
| 498 | dynamic analysis |
| sandbox | |
| 490 | getting malware to run, rundll32.exe |
| 491 | ProcMon |
| monitoring malware at runtime | |
| 500 | report writing |
| why write reports | |
| 501 | reporting standards |
| 502 | “Improving your technical writing skills” - Norman Fenton |
| University of London | |
| active voice | |
| past tense | |
| 504 | export reports |
| expert witness | |
| 505 | report content and organizations |
| report templates | |
| 508 | quality assurance |
| “The Elements of Style” - Strunk and White | |
| 514 | remediation |
| 515 | remediation process, high level |
| 517 | incident severity |
| 519 | HIPAA, PII, PHI |
| notification requirements for breaches | |
| 520 | MTTR - Mean Time to Remediate |
| eradication | |
| remediation team | |
| stakeholder | |
| 525 | Industrial Control Systems (ICS) |
| Subject Matter Expert (SME) | |
| 524 | remediation timing |
| Automated Clearing House (ACH) | |
| 526 | remediation posture |
| 528 | implications of alerting the attacker |
| attackers changing TTPs | |
| attackers going dormant | |
| 529 | attackers becoming destructive |
| containment | |
| 532 | eradication, eradication planning |
| 537 | eradication “strike zone” |
| 540 | cleaning vs rebuilding |
| 541 | strategic recommendations |
| 542 | lessons learned |
| 550 | common remediation mistakes |