Guidance Encase Enterprise Architecture

Slides:



Advertisements
Similar presentations
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.
Advertisements

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Windows Security and Rootkits Mike Willard January 2007.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Hands-On Microsoft Windows Server Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.
Installing software on personal computer
Virtual Machine Management
REMOTE ACCESS Research Data Management. On Campus There are two networks – the staff network and the student network. Staff network: Access to the shared.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
The Microsoft Baseline Security Analyzer A practical look….
SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
April 2000Dr Milan Simic1 Network Operating Systems Windows NT.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Remote Desktop Services in Windows Server 2008 R2.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Integrating and Troubleshooting Citrix Access Gateway.
Experiment Management System CSE 423 Aaron Kloc Jordan Harstad Robert Sorensen Robert Trevino Nicolas Tjioe Status Report Presentation Industry Mentor:
Page 1 Printing & Terminal Services Lecture 8 Hassan Shuja 11/16/2004.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
ITI-510 Computer Networks ITI 510 – Computer Networks Meeting 6 Rutgers University Center for Applied Computer Technologies Instructor: Chris Uriarte.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Chapter 3 Operating Systems. © 2005 Pearson Addison-Wesley. All rights reserved 3-2 Chapter 3 Operating Systems 3.1 The Evolution of Operating Systems.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CCNA1 v3 Module 1 v3 CCNA 1 Module 1 JEOPARDY K. Martin.
August Video Management Software ViconNet Enterprise Video Management Software Hybrid DVR Kollector Strike Kollector Force Plug & Play NVR HDExpress.
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
/Reimage-Repair-Tool/ /u/6/b/ /channel/UCo47kkB-idAA-IMJSp0p7tQ /alexwaston14/reimage-system-repair/
AMOEBA study of distributed system
Managing Server 2012 Lecture 3 Lecturer: Dr. Simon Tran Course: IT 442.
Manuel Brugnoli, Elisa Heymann UAB
Chapter Objectives In this chapter, you will learn:
Operating System Review
Microsoft Windows NT 4.0 Authentication Protocols
Malware Reverse Engineering Process
Chapter 1: A Tour of Computer Systems
Defeat Tomorrow’s Threats Today
Configuring and Troubleshooting Routing and Remote Access
Malware Reverse Engineering Process
StratusLab Tutorial (Bordeaux, France)
Chapter 2: System Structures
EA C451 Vishal Gupta.
Creating a Windows Server 2012 R2 Datacenter Virtual machine
Creating a Windows Server 2016 Datacenter Virtual machine
Oracle Solaris Zones Study Purpose Only
Operating System Review
IIS.
* Essential Network Security Book Slides.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
HC Hyper-V Module GUI Portal VPS Templates Web Console
CGS 3763 Operating Systems Concepts Spring 2013
Multiple Processor Systems
* Introduction to Cloud computing * Introduction to OpenStack * OpenStack Design & Architecture * Demonstration of OpenStack Cloud.
Multiple Processor and Distributed Systems
Implement Web Application Proxy (WAP)
Windows Server Administration Fundamentals
Operating Systems: A Modern Perspective, Chapter 3
LO3 – Understand Business IT Systems
Module 3 Configuring a Router.
How Enterprise Agents can be installed remotely on protected objects
HC VMware Module
Presentation transcript:

Guidance Encase Enterprise Architecture GSI SAFE Server Authentication, Logging, Role based permissions, The Examiner is where the Analysts Workstation and User Interface. The SAFE can be administered remotely by someone with the “Keymaster” credentials through the Encase Enterprise Examiner Encase Servlet Remote Computers with GSI Servlet Installed Encase Enterprise Examiner

Run Threat Analyzer Enscript Module Threat Analyzer Enscript WPMA.DLL INTEGRATION Run Threat Analyzer Enscript Module Threat Analyzer Enscript Enter Machines, IP Addresses, or Ranges to Scan 10.10.10.1 – 10.10.20.255 Zeus1 Finance Department Workstations Research & Development Machines Web Servers Encase Examiner with WPMA.dll Click Next

Threat Analyzer Enscript Select Scan Configuration Options - WPMA.DLL INTEGRATION Threat Analyzer Enscript Select Scan Configuration Options - Run Threat Analyzer Enscript Module Processes Processes_Sweep Drivers Threads Devices SSDT IDT Network_Handles File_Handles Registry_Handles VADS Image_Imports Image_Exports DDNA Signatures Handle_Tables Memory_Pools Heaps x X Encase Examiner with WPMA.dll Click Next

WPMA.DLL INTEGRATION Threat analyzer starts to have the servlet send portions of remote physical memory back to the enterprise examiner across the network Encase Examiner then passes the physical memory to WPMA.DLL for analysis… WPMA.DLL starts to parse the physmem, then tells Encase what specific addresses it needs from the servlet to complete each SCAN FLAG OPTION After Completing the SCAN, WPMA.DLL provides Encase with a Threat Score of 1 or Zero. 1 if it’s suspicious and Zero if it is not…

All Scan Flags for WPMA.DLL IMAGE_IMPORTS IMAGE_EXPORTS FILE_HANDLES – requires HANDLE_TABLES REGISTRY_HANDLES requires HANDLE_TABLES IDT MEMORY_POOLS HEAPS DIGITAL_DNA SIGNATURES PROCESSES PROCESS_SWEEP DEVICES DRIVERS SSDT VADS THREADS NETWORK_HANDLES – requires HANDLE_TABLES HANDLE_TABLES – *** This scan is required for: FILE_HANDLES REGISTRY_HANDLES NETWORK_HANDLE **** This scan extends the capabilities of:

Scan Flag Details for WPMA.DLL PROCESSES Performs a scan using kernel structures to locate processes PROCESS_SWEEP Performs a search of memory for process objects (memory intensive) THREADS Performs a scan using kernel structures to locate threads DEVICES Performs a scan using kernel structures to locate devices DRIVERS Performs a scan using kernel structures to locate drivers HANDLE_TABLES Performs a scan using kernel structures to locate active handles This scan is required for: FILE_HANDLES REGISTRY_HANDLES NETWORK_HANDLES This scan extends the capabilities of: DRIVERS DEVICES FILE_HANDLES Performs a scan using the handle tables to locate open files REGISTRY_HANDLES Performs a scan using the handle tables to locate open registry keys NETWORK_HANDLES Performs a scan using the handle tables to locate open network connections VADS Performs a scan using kernel structures to locate virtual address descriptors IMAGE_IMPORTS Analyzes the import tables for all known images (memory intensive) IMAGE_EXPORTS Analyzes the export tables for all known images (memory intensive) SSDT Performs a scan of the System Service Descriptor Table IDT Performs a scan of the Interrupt Descriptor Table MEMORY_POOLS Performs a scan of the system allocated memory pools HEAPS Performs a scan of each process's heap segments DIGITAL_DNA Generates DDNA hashes of all images (memory, cpu, intensive) SIGNATURES Compare all results to known signatures (cpu intensive)

Quick Scan Flags for WPMA.DLL PROCESSES PROCESS_SWEEP DEVICES DRIVERS SSDT VADS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.