UTSA IS 6353 Security Incident Response

Slides:



Advertisements
Similar presentations
COEN 250 Computer Forensics Unix System Life Response.
Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Chapter 14: Computer and Network Forensics
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Data Acquisition Chao-Hsien Chu, Ph.D.
Capturing Computer Evidence Extracting Information.
Hands-on: Capturing an Image with AccessData FTK Imager
Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, Writer : Cory Altheide Reporter : Yao Professor.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
Forensic and Investigative Accounting
Guide to Computer Forensics and Investigations Fourth Edition
Network Forensics An example of a computer crime – VIRTUAL crime that needs computer forensic expertise. Your company has recently hired a new salesman.
File Recovery and Forensics
Chabot College ELEC Ports (Layer 4).
COEN 252 Computer Forensics Collecting Network-based Evidence.
Live Forensics Investigations Computer Forensics 2013.
Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
CS526: Information Security Chris Clifton December 4, 2003 Forensics.
COEN 250 Computer Forensics Windows Life Analysis.
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
COEN 250 Computer Forensics Windows Life Analysis.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
COEN 250 Computer Forensics Unix System Life Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
CompTIA Security+ Study Guide (SY0-401)
Data Acquisition Chao-Hsien Chu, Ph.D.
CSCE 548 Student Presentation By Manasa Suthram
Click to edit Master subtitle style
Block 5: An application layer protocol: HTTP
TCP/IP Utilities Richard Goldman May 29, 2003.
Networks Problem Set 1 Due Oct 3 Bonus Date Oct 2
Remote Control and Advanced Techniques
Introduction to Computers
SNORT.
CompTIA Security+ Study Guide (SY0-401)
Telnet/SSH Connecting to Hosts Internet Technology.
Chapter 4 Core TCP/IP Protocols
Topic 5: Communication and the Internet
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Chapter 3. Basic Dynamic Analysis
COEN 252 Computer Forensics
OPS235: Configuring a Network Using Virtual Machines – Part 2
Chapter 15 – Part 2 Networks The Internal Operating System
Applications Layer Functionality & Protocols
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Presentation transcript:

Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”

UTSA IS 6353 Security Incident Response Overview Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response CYGWIN A Unix environment for Windows: A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response CYGWIN Where to get it: http://www.cygwin.com/ What’s included: date time uptime uname –a hostname whoami env ps netstat arp UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools Maresware’s Disk_crc http://www.dmares.com MD5 Summer http://sourceforge.net/projects/md5summer UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Network Tool NetCat/Cryptcat Creates a channel of communication between hosts Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation Cryptcat provides for encryption UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Netcat Commands Forensic workstation (192.168.1.1) command E:\>nc –l –p 2222 > yourfilename Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” Sending output from target system A:> pslist | nc 192.168.1.1 2222 Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222 UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Netcat in Action Hacked Machine Forensics Workstation time date loggedon fport pslist Nbtstat - c Run trusted commands on Hacked Machine Send output of commands to forensics workstation using netcat Perform off-line review MD5SUM output files UTSA IS 6353 Security Incident Response

Netcat Command Sequence Forensics Workstation 192.168.1.1 Hacked Machine time date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * A:>Nbtstat – c | nc 192.168.1.1 2222 C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Drive Tools Goal: allow collection of various hard/floppy/CD forensics Partition Tools fdisk (for Linux, DOS version obsolete) Partinfo (free) PartitionMagic(includes Partinfo but cost $) CD-R Utilities CD-R Diagnostics (http://infinadyne.com/forensicsoftware.html) Unerase Tools Windows: Norton Utilities Diskedit & unerase Unix: e2recover FilesScavenger UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Drive Tools(2) Drive Imagers NTI’s SafeBack SnapBack Ghost--Symantec Dd—the Unix command Disk Wipers DiskScrub from NTI UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems QuickViewPlus Views over 200 file types Conversion Plus Views Mac files on Windows ThumbsPlus – Catalogs and displays all image files UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Search Tools Goal: find keywords pertinent to investigation NTI’s dtSearch Searches text files including Outlook .pst files Danny Mares StringSearch Hidden Streams SFind (www.foundstone.com) Streams (www.sysinternals.com/ntw2k/source/misc.html) UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Forensics Programs Focus: collect and analyze data SANS Investigative Forensics Tool Kit (SIFT) http://digital-forensics.sans.org/community/downloads/ Forensic Toolkit – www.foundstone.com Focus is on Windows NT systems The Coroners Toolkit (TCT) Investigates a hacked Unix host graverobber mac utility unrm utility lazarus tool UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Forensics Programs(2) ForenSix by Dr. Fred Cohen www.all.net Runs on Linux but can access many different file systems EnCase (www.encase.com) Claims to be the only fully integrated Windows-based forensics application UTSA IS 6353 Security Incident Response

Foundstone Tools http://www.foundstone.com/resources/forensics.htm Pasco 1.0 – IE activity forensic tool Galleta 1.0 – Examine content of cookie files from IE Rifiuti 1.0 – Examine Info2 file in the Recycle Bin Vision 1.0 – Reports open TCP/UDP ports and maps to owning process NTLast 3.0 – Security Log Analyzer ShoWin 2.0 – Show information about Windows BinText 3.0 - Finds strings in a file Patchit 2.0 – Binary file byte patching program UTSA IS 6353 Security Incident Response

Vision System Info

Vision Processes View

Vision Services View

Vision Services View

File Watch

Sysinternals Tools http://www.sysinternals.com/ntw2k/utilities.shtml Monitoring Tools Diskmon 1.1 – monitors disk activity Filemon 1.1 – monitors file activity ListDLLs 2.23 – List all currently loaded DLLs NTFSInfo—Gives size and location of MFT Portmon 3.02—monitors serial and parallel ports Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs PSTools 1.82 Regmon 6.06 – monitors registry activity UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Sysinternals Tools(2) Utilities AccessEnum 1.0 – used to find holes in file permissions NTRecover 1.0 – access dead NT disks over a serial connection NTFSDOS 3.02 – Access NTFS drives read-only from DOS Remote Recover 2.0-- access dead NT disks over a network connection UTSA IS 6353 Security Incident Response

pstools

pslist

pslist

Process Explorer-View 1

Process Explorer-View 2

FILEMON

REGMON

TCP/IP Monitor One Sinlge IE Access to One Web Site

UTSA IS 6353 Security Incident Response Other Useful Tools Password Crackers (see pg 145) L0phtCrack – www.atstake.com John the Ripper – www.openwall.com/john Chntpw – home.eunet.no/~pnordahl/ntpasswd Fast ZipCracker – www.netgate.com.uy/~fpapa AccessData – www.accessdata.com Provides entry to a wide range of application encrypted files Elcom – www.elcomsoft.com UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Other Useful Tools(2) Internet References Matching Hardware Types to MAC addresses www.cavebear.com/CaveBear/Ethernet/vendor.html Proxy Servers available to the Public www.proxys4all.com List of Defaced Web sites www.attrition.org List of HTTP status codes www.w3.org/Protocols/HTTP/HTRESP.html File Formats and Header Specifications www.wotsit.org UTSA IS 6353 Security Incident Response

McAfee Visual Trace Hostile Activity From China

UTSA IS 6353 Security Incident Response Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research! UTSA IS 6353 Security Incident Response