Add to collection(s) Add to saved
  1. No category

Windows Forensics for Incident Response - NAISG

advertisement 
WINDOWS FORENSICS FOR
INCIDENT RESPONSE
CHRISTIAN KOPACSI
CISSP CISM CEH CHFI SECURITY+
WHAT IS INCIDENT
RESPONSE
An organized approach to addressing and managing the
aftermath of a security breach or attack.
STEPS TO SUCCESS
PURPOSE OF
INCIDENT RESPONSE

Preparation


Detection & Analysis


Root cause analysis
Recovery


Prevent further damage
Eradication


Did an incident occur
Containment


User Awareness
Reimage the affected workstation
Post Incident Activity

Lessons Learned
PREPARATION
 User Awareness & Training
SOCIAL ENGINEERING
DETECTION &
ANALYSIS
 You can’t Respond if you can’t Detect
 Logs – Hopefully a SIEM
 Workstation \ Server
 Firewall
 IDS \ IPS
 Internet Proxy \ Filter
 MSSP \ 3rd Party
 End Users \ Customers
 You!
CONTAINMENT
 Prevent Further Damage
 NAC
 ACL
 Firewall
 Switch
 Software
 Application Whitelisting
 AV
ERADICATION
 Root Cause Analysis
 Make Sure Problem
Does Not Come Back!
RECOVERY
 Known Good Configuration
 Reimage Device
 Restore from Backup
POST INCIDENT
ACTIVITY
 Lessons Learned
 What Worked
 What Didn’t Work
 New Policy \ Procedures
 Change to existing Controls
 Implement New Controls
WINDOWS BASED
FORENSIC TOOLKIT
TABLEAU WRITE
BLOCKER
 SATA\IDE
DIGITAL CAMERA
 Document state of evidence
 Inventory items seized
CHAIN OF CUSTODY
FORM
 Log all transfer of evidence
EVIDENCE BAGS
MISC.
ACCESSDATA FTK
IMAGER
 Physical\Logical Hard Drive Acquisition
ACCESSDATA FTK
IMAGER
 Live Memory Acquisition
 Encryption Keys, Passwords, Running Processes
IMDISK VIRTUAL DISK
DRIVER
 Mount evidence files as Read Only Hard Drive
REGRIPPER
 Registry Analysis





SAM
Security
Software
System
NTUser
HELIX
 Free Version still available
 Best of Both Worlds
 Run applications from within Windows
 Boot from Linux Live CD
MALWAREBYTES
ANTI-MALWARE
EXIFTOOL - PHOTOS
EXIFTOOL – OFFICE
DOCUMENTS
PROCMON
INTERNET EVIDENCE
FINDER
FORENSIC SOFTWARE
SUITE
FORENSICS AND THE
STATE OF MICHIGAN
 PROFESSIONAL INVESTIGATOR LICENSURE ACT
 As of May 28, 2008, all computer forensic firms must have
a Private Investigators license to practice in Michigan.
 Any person engaged in the collection of electronic
evidence and/or engaged for the presentation electronic
evidence in a Michigan court must have a valid Private
Investigators License
REFERENCES &
THANKS
 NIST 800-61
 NIST 800-86
 http://www.cert.org/csirts/Creating-A-CSIRT.html
 http://www.ussecurityawareness.org/highres/incidentresponse.html
 http://windowsir.blogspot.com
 http://www.ericjhuber.com
 Chris Pogue – Trustwave SpiderLabs
 http://blog.spiderlabs.com (Sniper Forensics)
NEXT TIME
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
PPT Presentation - Projects at Harvard
PPT Presentation - Projects at Harvard
Based on your reading (NIST 800-61), answer the following questions
Based on your reading (NIST 800-61), answer the following questions
Focus Systems signs exclusive authorized forensic training deal with
Focus Systems signs exclusive authorized forensic training deal with
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
Senior Software Engineer - Computer Science Job Board
Senior Software Engineer - Computer Science Job Board
Profile
Profile
Curriculum Framework
Curriculum Framework
HOW TO USE EXIFTOOLS
HOW TO USE EXIFTOOLS
Data Acquisition Guidelines for Investigation Purposes - CERT-EU
Data Acquisition Guidelines for Investigation Purposes - CERT-EU
Download
advertisement