Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guidance Encase Enterprise Architecture

Published byJewel Shelton Modified over 6 years ago

Similar presentations

Presentation on theme: "Guidance Encase Enterprise Architecture"— Presentation transcript:

1 Guidance Encase Enterprise Architecture
GSI SAFE Server Authentication, Logging, Role based permissions, The Examiner is where the Analysts Workstation and User Interface. The SAFE can be administered remotely by someone with the “Keymaster” credentials through the Encase Enterprise Examiner Encase Servlet Remote Computers with GSI Servlet Installed Encase Enterprise Examiner

2 Run Threat Analyzer Enscript Module Threat Analyzer Enscript
WPMA.DLL INTEGRATION Run Threat Analyzer Enscript Module Threat Analyzer Enscript Enter Machines, IP Addresses, or Ranges to Scan Zeus1 Finance Department Workstations Research & Development Machines Web Servers Encase Examiner with WPMA.dll Click Next

3 Threat Analyzer Enscript Select Scan Configuration Options -
WPMA.DLL INTEGRATION Threat Analyzer Enscript Select Scan Configuration Options - Run Threat Analyzer Enscript Module Processes Processes_Sweep Drivers Threads Devices SSDT IDT Network_Handles File_Handles Registry_Handles VADS Image_Imports Image_Exports DDNA Signatures Handle_Tables Memory_Pools Heaps x X Encase Examiner with WPMA.dll Click Next

4 WPMA.DLL INTEGRATION Threat analyzer starts to have the servlet send portions of remote physical memory back to the enterprise examiner across the network Encase Examiner then passes the physical memory to WPMA.DLL for analysis… WPMA.DLL starts to parse the physmem, then tells Encase what specific addresses it needs from the servlet to complete each SCAN FLAG OPTION After Completing the SCAN, WPMA.DLL provides Encase with a Threat Score of 1 or Zero. 1 if it’s suspicious and Zero if it is not…

5 All Scan Flags for WPMA.DLL
IMAGE_IMPORTS IMAGE_EXPORTS FILE_HANDLES – requires HANDLE_TABLES REGISTRY_HANDLES requires HANDLE_TABLES IDT MEMORY_POOLS HEAPS DIGITAL_DNA SIGNATURES PROCESSES PROCESS_SWEEP DEVICES DRIVERS SSDT VADS THREADS NETWORK_HANDLES – requires HANDLE_TABLES HANDLE_TABLES – *** This scan is required for: FILE_HANDLES REGISTRY_HANDLES NETWORK_HANDLE **** This scan extends the capabilities of:

6 Scan Flag Details for WPMA.DLL
PROCESSES Performs a scan using kernel structures to locate processes PROCESS_SWEEP Performs a search of memory for process objects (memory intensive) THREADS Performs a scan using kernel structures to locate threads DEVICES Performs a scan using kernel structures to locate devices DRIVERS Performs a scan using kernel structures to locate drivers HANDLE_TABLES Performs a scan using kernel structures to locate active handles This scan is required for: FILE_HANDLES REGISTRY_HANDLES NETWORK_HANDLES This scan extends the capabilities of: DRIVERS DEVICES FILE_HANDLES Performs a scan using the handle tables to locate open files REGISTRY_HANDLES Performs a scan using the handle tables to locate open registry keys NETWORK_HANDLES Performs a scan using the handle tables to locate open network connections VADS Performs a scan using kernel structures to locate virtual address descriptors IMAGE_IMPORTS Analyzes the import tables for all known images (memory intensive) IMAGE_EXPORTS Analyzes the export tables for all known images (memory intensive) SSDT Performs a scan of the System Service Descriptor Table IDT Performs a scan of the Interrupt Descriptor Table MEMORY_POOLS Performs a scan of the system allocated memory pools HEAPS Performs a scan of each process's heap segments DIGITAL_DNA Generates DDNA hashes of all images (memory, cpu, intensive) SIGNATURES Compare all results to known signatures (cpu intensive)

7 Quick Scan Flags for WPMA.DLL
PROCESSES PROCESS_SWEEP DEVICES DRIVERS SSDT VADS

Download ppt "Guidance Encase Enterprise Architecture"

Similar presentations

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.

Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Hands-On Microsoft Windows Server 2008 1 Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.

Hands-On Microsoft Windows Server Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.
Installing software on personal computer

Installing software on personal computer
Virtual Machine Management

Virtual Machine Management
REMOTE ACCESS Research Data Management. On Campus There are two networks – the staff network and the student network. Staff network: Access to the shared.

REMOTE ACCESS Research Data Management. On Campus There are two networks – the staff network and the student network. Staff network: Access to the shared.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.

®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
The Microsoft Baseline Security Analyzer A practical look….

The Microsoft Baseline Security Analyzer A practical look….
SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.

SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.

Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) Chapter Four Windows Server 2008 Remote Desktop Services,

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,

Similar presentations

Ads by Google