Chapter 7 Live Data Collection Spring 2016 - Incident Response & Computer Forensics.

Slides:



Advertisements
Similar presentations
IT in the Real World A look at IT in a Fortune 500 company Ed Nelson.
Advertisements

COEN 252 Computer Forensics
Peer-to-Peer vs. Client/Server Network Operating Systems Instructor: Dr. Najla Al-Nabhan
Backups Rob Limbaugh March 2, Agenda  Explain of a Backup and purpose  Habits  Discuss Types  Risk/Scope  Disasters and Recovery.
Guide to Computer Forensics and Investigations, Second Edition
Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Pointers for making e-Governance happen Making e-Governance happen DQ Seminar, Chennai IT for Change March 3, Bridging Development.
Retina: Helping Students and Instructors Based on Observed Programming Activities Chris Murphy, Gail Kaiser, Kristin Loveland, Sahar Hasan Columbia University.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.
Installing software on personal computer
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Jonathon Bicknell, IT Co-ordinator from Broom Leys Primary School “The more I use ‘Auditor’ the more I like it! As a full time classroom teacher I get.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.
Smart Client Applications for Developers Davin Mickelson, MCT, MCSD New Horizons of MN.
ITIS 2110 Class # No home network devices devices devices devices devices devices devices 9.
SOFTWARE.
Test Organization and Management
1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.
CHAPTER 2 OPERATING SYSTEM OVERVIEW 1. Operating System Operating System Definition A program that controls the execution of application programs and.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
Chapter 6 : Software Metrics
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
Live Forensics Investigations Computer Forensics 2013.
MAPLDDesign Integrity Concepts You Mean We’re Still Working On It? Sustaining a Design.
Event Management & ITIL V3
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Guide to Computer Forensics and Investigations Fourth Edition
1 Performance Optimization In QTP Execution Over Video Automation Testing Speaker : Krishnesh Sasiyuthaman Nair Date : 10/05/2012.
Investigation into CAD designed Products Find some examples of 3D Computer Aided Design from the internet and paste the images onto this page. Label and.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Chapter 8 Usability Specification Techniques Hix & Hartson.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Online Communication 1 & Ubiquitous Computing. Online Communication *The red circles show the position of the keyframes on the timeline. 1. Explain what.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Introduction to Humanities Computing Spring 1999 Lecture Nine.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
9/30/2001Craig Ganoe Methods Supporting Usability Evaluation of the Collaborative Meeting Place Craig Ganoe Project Description LiNC (Learning.
1 Chapter Overview Monitoring Access to Shared Folders Creating and Sharing Local and Remote Folders Monitoring Network Users Using Offline Folders and.
Page 1 Monitoring, Optimization, and Troubleshooting Lecture 10 Hassan Shuja 11/30/2004.
Chapter 2 Incident Response Management Handbook Spring Incident Response & Computer Forensics.
Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education 1A-1 Chapter 1 Introducing Computer Systems Instructor.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
MONITORING MICROSOFT WINDOWS SERVER 2003
Malwarebytes Installation Issues Number Facing error with Malwarebytes software is not something unusual as most of the users use to face.
CGS 3763 Operating Systems Concepts Spring 2013
LO2 - Be Able to Design IT Systems to Meet Business Needs
1.2 System Design Basics.
Introduction to Digital Forensics
Bethesda Cybersecurity Club
The Main Features of Operating Systems
DEPLOYING SECURITY CONFIGURATION
Presentation transcript:

Chapter 7 Live Data Collection Spring Incident Response & Computer Forensics

The Goal  Preserving volatile evidence  Risks involved  The data collection process may change system state  It may even cause the system to crash  One must make effort to minimize the change to suspect’s computer

When to Perform A Live Response  If you think volatile data contains critical information not found anywhere else  Forensic duplication is difficult (e.g., too many systems to collect data from)  Forensic duplication may fail  Reasons exist to preserve as much data as possible  Risk  Any interaction with a system makes changes to system state

Selecting a Live Response Tool  Factors evaluating live response tools  Is the tool accepted in the forensic community?  Does it work in common OS environment?  Does it collect data that is helpful?  How much time does it take to collect data?  Can the tool be configured?  Can the output be easily reviewed and understood? Always use trusted tools/files Always use trusted tools/files

What to Collect?  Two types of data can be collected  Data that describe the current state of the system  Data that is less volatile and shows what has happened in the past Live Re sponse data  System date, time, time zone  OS version information  General system information: memory, hard-disk, etc.  Local user account information  Network interface information  Network connections and associated processes  Files and other open handles …… (See pages 140 – 141 in the textbook for a suggested list)

Collection Best Practices  Before running live response on a suspect system, practice on a test system  Run the tests multiple times and on more than one system  Minimize the time spent on system during data collection  The suspect system may have been infected with malware. So,  Document what you do and when you do it  Do not interact with the suspect system unless there is a plan  Use tools that minimize the impact on the target system

Collection Best Practices  The suspect system may have been infected with malware (continued)  Use tools that keep a log and compute checksums of output  Automate the collection process  Try to collect data in terms of volatility  Treat the data collected as evidence  Do not keep any important files etc. on the media that you connect to suspect’s system  Do not do anything that will result in unnecessary modifications to suspect’s system – unless it is absolutely necessary  Do not perform analysis on suspect’s system

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.