WINDOWS FORENSICS FOR
INCIDENT RESPONSE
CHRISTIAN KOPACSI
CISSP CISM CEH CHFI SECURITY+
WHAT IS INCIDENT
RESPONSE
An organized approach to addressing and managing the
aftermath of a security breach or attack.
STEPS TO SUCCESS
PURPOSE OF
INCIDENT RESPONSE

Preparation


Detection & Analysis


Root cause analysis
Recovery


Prevent further damage
Eradication


Did an incident occur
Containment


User Awareness
Reimage the affected workstation
Post Incident Activity

Lessons Learned
PREPARATION
 User Awareness & Training
SOCIAL ENGINEERING
DETECTION &
ANALYSIS
 You can’t Respond if you can’t Detect
 Logs – Hopefully a SIEM
 Workstation \ Server
 Firewall
 IDS \ IPS
 Internet Proxy \ Filter
 MSSP \ 3rd Party
 End Users \ Customers
 You!
CONTAINMENT
 Prevent Further Damage
 NAC
 ACL
 Firewall
 Switch
 Software
 Application Whitelisting
 AV
ERADICATION
 Root Cause Analysis
 Make Sure Problem
Does Not Come Back!
RECOVERY
 Known Good Configuration
 Reimage Device
 Restore from Backup
POST INCIDENT
ACTIVITY
 Lessons Learned
 What Worked
 What Didn’t Work
 New Policy \ Procedures
 Change to existing Controls
 Implement New Controls
WINDOWS BASED
FORENSIC TOOLKIT
TABLEAU WRITE
BLOCKER
 SATA\IDE
DIGITAL CAMERA
 Document state of evidence
 Inventory items seized
CHAIN OF CUSTODY
FORM
 Log all transfer of evidence
EVIDENCE BAGS
MISC.
ACCESSDATA FTK
IMAGER
 Physical\Logical Hard Drive Acquisition
ACCESSDATA FTK
IMAGER
 Live Memory Acquisition
 Encryption Keys, Passwords, Running Processes
IMDISK VIRTUAL DISK
DRIVER
 Mount evidence files as Read Only Hard Drive
REGRIPPER
 Registry Analysis





SAM
Security
Software
System
NTUser
HELIX
 Free Version still available
 Best of Both Worlds
 Run applications from within Windows
 Boot from Linux Live CD
MALWAREBYTES
ANTI-MALWARE
EXIFTOOL - PHOTOS
EXIFTOOL – OFFICE
DOCUMENTS
PROCMON
INTERNET EVIDENCE
FINDER
FORENSIC SOFTWARE
SUITE
FORENSICS AND THE
STATE OF MICHIGAN
 PROFESSIONAL INVESTIGATOR LICENSURE ACT
 As of May 28, 2008, all computer forensic firms must have
a Private Investigators license to practice in Michigan.
 Any person engaged in the collection of electronic
evidence and/or engaged for the presentation electronic
evidence in a Michigan court must have a valid Private
Investigators License
REFERENCES &
THANKS
 NIST 800-61
 NIST 800-86
 http://www.cert.org/csirts/Creating-A-CSIRT.html
 http://www.ussecurityawareness.org/highres/incidentresponse.html
 http://windowsir.blogspot.com
 http://www.ericjhuber.com
 Chris Pogue – Trustwave SpiderLabs
 http://blog.spiderlabs.com (Sniper Forensics)
NEXT TIME