Transcript Mastering Windows Network Forensics and Investigation

Mastering Windows Network
Forensics and Investigation
Chapter 6: Live Analysis
Techniques
Chapter Topics:
• Prepare a toolkit to acquire RAM
from a live system
• Identify the pros and cons of
performing a live analysis
Finding Evidence in Memory
• Hackers attempt to hide evidence of
their activities
• The traditional focus of of LE
forensics is the hard drive of the
victim
• Hackers have designed their toolsets
around this philosophy by using code
that will only execute in RAM
– DLL injections
– Hooks
IR Considerations
• Pulling the plug will remove invaluable
data from RAM
• Keep interaction with the target to a
bare minimum
• Bring your own trusted tools!
• Think before you act…then think
again
• Document everything
Creating a Live-Analysis
Toolkit
• Think about the reason for performing every
action
• Use only trusted and validated analysis tools
• Request intimate details about target system
– OS?
– Architecture? (32 vs 64 bit?)
• Assume you only have but one shot to
capture volatile data correctly
RAM Acquisition Tools
• DumpIt
– Creates binary dump
– Supports 32/64-bit
– CLI
• WinEN
– Creates EnCase evidence file
– Supports 32/64-bit
– CLI
• FTK Imager Lite
– Creates binary dump
– Supports 32/64-bit
– GUI-based
RAM Analysis Tools
• Volatility 2.0
–
–
–
–
Open source RAM analysis tool
Active network connections
Running processes
Loaded DLLs
• Memoryze
• Consider mounted encrypted volumes
Monitoring Communications
• Network Sniffer
–
–
–
Analyze which IP’s are engaged with victim systems
Which ports are being used
Network packet payload
Monitoring Communications
• Network Port Scanner
– Analyze which ports are open on the network
– Determine what services are legitimate
• Open Source Tools
– Nmap