WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

Slides:



Advertisements
Similar presentations
Identifying and Responding to Security Incidents in the Law Firm
Advertisements

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
What You Will Learn Components of a computer’s system software The importance of an operating system Functions of an operating system Types of user interfaces.
System and Network Security Practices COEN 351 E-Commerce Security.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
1 Web Server Administration Chapter 3 Installing the Server.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Week:#14 Windows Recovery
Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager
Computerized Networking of HIV Providers Networking Fundamentals Presented by: Tom Lang – LCG Technologies Corp. May 8, 2003.
Security Guide for Interconnecting Information Technology Systems
Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Guide to Computer Forensics and Investigations Fourth Edition
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
IT Essentials 1 v4.0 Chapters 4 & 5 JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Troubleshooting Windows Vista Security Chapter 4.
School of Electrical Engineering & Computer Science National University of Sciences & Technology (NUST), Pakistan Research Profile Fauzan Mirza.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Module 15 Managing Windows Server® 2008 Backup and Restore.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
T4L – NSW DET SOE Muticasting an Image. Problem New T4L computers use SATA HDD’s SATA drives are not recognised by Current DET Licensed version of Ghost.
Chapter 2 Securing Network Server and User Workstations.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Frontline Enterprise Security
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Incident Response Christian Seifert IMT st October 2007.
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Computers: Tools for an Information Age
CompTIA Security+ Study Guide (SY0-401)
Introduction to Operating Systems
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 3 First Response.
Tutorial 13 Windows Registry.
CompTIA Security+ Study Guide (SY0-401)
Cyber intelligence made easy.
I have many checklists: how do I get started with cyber security?
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Bethesda Cybersecurity Club
Incident response and intrusion detection
Security week 1 Introductions Class website Syllabus review
16. Account Monitoring and Control
Forensic Recovery of Evidence Device (FRED)
Tonight – Finishing off workshop
CIS101B Week 4 Class 1 Chapter 12 Security 12.1 through 12.6
Presentation transcript:

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WHAT IS INCIDENT RESPONSE An organized approach to addressing and managing the aftermath of a security breach or attack.

STEPS TO SUCCESS

PURPOSE OF INCIDENT RESPONSE  Preparation  User Awareness  Detection & Analysis  Did an incident occur  Containment  Prevent further damage  Eradication  Root cause analysis  Recovery  Reimage the affected workstation  Post Incident Activity  Lessons Learned

PREPARATION  User Awareness & Training

SOCIAL ENGINEERING

DETECTION & ANALYSIS  You can’t Respond if you can’t Detect  Logs – Hopefully a SIEM  Workstation \ Server  Firewall  IDS \ IPS  Internet Proxy \ Filter  MSSP \ 3 rd Party  End Users \ Customers  You!

CONTAINMENT  Prevent Further Damage  NAC  ACL  Firewall  Switch  Software  Application Whitelisting  AV

ERADICATION  Root Cause Analysis  Make Sure Problem Does Not Come Back!

RECOVERY  Known Good Configuration  Reimage Device  Restore from Backup

POST INCIDENT ACTIVITY  Lessons Learned  What Worked  What Didn’t Work  New Policy \ Procedures  Change to existing Controls  Implement New Controls

WINDOWS BASED FORENSIC TOOLKIT

TABLEAU WRITE BLOCKER  SATA\IDE

DIGITAL CAMERA  Document state of evidence  Inventory items seized

CHAIN OF CUSTODY FORM  Log all transfer of evidence

EVIDENCE BAGS

MISC.

ACCESSDATA FTK IMAGER  Physical\Logical Hard Drive Acquisition

ACCESSDATA FTK IMAGER  Live Memory Acquisition  Encryption Keys, Passwords, Running Processes

IMDISK VIRTUAL DISK DRIVER  Mount evidence files as Read Only Hard Drive

REGRIPPER  Registry Analysis  SAM  Security  Software  System  NTUser

HELIX  Free Version still available  Best of Both Worlds  Run applications from within Windows  Boot from Linux Live CD

MALWAREBYTES ANTI-MALWARE

EXIFTOOL - PHOTOS

EXIFTOOL – OFFICE DOCUMENTS

PROCMON

INTERNET EVIDENCE FINDER

FORENSIC SOFTWARE SUITE

FORENSICS AND THE STATE OF MICHIGAN  PROFESSIONAL INVESTIGATOR LICENSURE ACT  As of May 28, 2008, all computer forensic firms must have a Private Investigators license to practice in Michigan.  Any person engaged in the collection of electronic evidence and/or engaged for the presentation electronic evidence in a Michigan court must have a valid Private Investigators License

REFERENCES & THANKS  NIST  NIST   response.html    Chris Pogue – Trustwave SpiderLabs  (Sniper Forensics)

NEXT TIME

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.