Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 Live Data Collection Spring 2016 - Incident Response & Computer Forensics.

Published byGervase George Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 7 Live Data Collection Spring 2016 - Incident Response & Computer Forensics."— Presentation transcript:

1 Chapter 7 Live Data Collection Spring 2016 - Incident Response & Computer Forensics

2 The Goal  Preserving volatile evidence  Risks involved  The data collection process may change system state  It may even cause the system to crash  One must make effort to minimize the change to suspect’s computer

3 When to Perform A Live Response  If you think volatile data contains critical information not found anywhere else  Forensic duplication is difficult (e.g., too many systems to collect data from)  Forensic duplication may fail  Reasons exist to preserve as much data as possible  Risk  Any interaction with a system makes changes to system state

4 Selecting a Live Response Tool  Factors evaluating live response tools  Is the tool accepted in the forensic community?  Does it work in common OS environment?  Does it collect data that is helpful?  How much time does it take to collect data?  Can the tool be configured?  Can the output be easily reviewed and understood? Always use trusted tools/files Always use trusted tools/files

5 What to Collect?  Two types of data can be collected  Data that describe the current state of the system  Data that is less volatile and shows what has happened in the past Live Re sponse data  System date, time, time zone  OS version information  General system information: memory, hard-disk, etc.  Local user account information  Network interface information  Network connections and associated processes  Files and other open handles …… (See pages 140 – 141 in the textbook for a suggested list)

6 Collection Best Practices  Before running live response on a suspect system, practice on a test system  Run the tests multiple times and on more than one system  Minimize the time spent on system during data collection  The suspect system may have been infected with malware. So,  Document what you do and when you do it  Do not interact with the suspect system unless there is a plan  Use tools that minimize the impact on the target system

7 Collection Best Practices  The suspect system may have been infected with malware (continued)  Use tools that keep a log and compute checksums of output  Automate the collection process  Try to collect data in terms of volatility  Treat the data collected as evidence  Do not keep any important files etc. on the media that you connect to suspect’s system  Do not do anything that will result in unnecessary modifications to suspect’s system – unless it is absolutely necessary  Do not perform analysis on suspect’s system

Download ppt "Chapter 7 Live Data Collection Spring 2016 - Incident Response & Computer Forensics."

Similar presentations

IT in the Real World A look at IT in a Fortune 500 company Ed Nelson.

IT in the Real World A look at IT in a Fortune 500 company Ed Nelson.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Peer-to-Peer vs. Client/Server Network Operating Systems Instructor: Dr. Najla Al-Nabhan 2015 1.

Peer-to-Peer vs. Client/Server Network Operating Systems Instructor: Dr. Najla Al-Nabhan
Backups Rob Limbaugh March 2, 2010. www.dacs.org Agenda  Explain of a Backup and purpose  Habits  Discuss Types  Risk/Scope  Disasters and Recovery.

Backups Rob Limbaugh March 2, Agenda  Explain of a Backup and purpose  Habits  Discuss Types  Risk/Scope  Disasters and Recovery.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,

Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.

11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Pointers for making e-Governance happen Making e-Governance happen DQ Seminar, Chennai IT for Change March 3, 2005 www.ITforChange.net Bridging Development.

Pointers for making e-Governance happen Making e-Governance happen DQ Seminar, Chennai IT for Change March 3, Bridging Development.
Retina: Helping Students and Instructors Based on Observed Programming Activities Chris Murphy, Gail Kaiser, Kristin Loveland, Sahar Hasan Columbia University.

Retina: Helping Students and Instructors Based on Observed Programming Activities Chris Murphy, Gail Kaiser, Kristin Loveland, Sahar Hasan Columbia University.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.
Installing software on personal computer

Installing software on personal computer
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Jonathon Bicknell, IT Co-ordinator from Broom Leys Primary School “The more I use ‘Auditor’ the more I like it! As a full time classroom teacher I get.

Jonathon Bicknell, IT Co-ordinator from Broom Leys Primary School “The more I use ‘Auditor’ the more I like it! As a full time classroom teacher I get.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.

Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.

Similar presentations

Ads by Google