Presentation is loading. Please wait.

Presentation is loading. Please wait.

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

Published byBria Winnett Modified over 9 years ago

Similar presentations

Presentation on theme: "WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+"— Presentation transcript:

1 WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

2 WHAT IS INCIDENT RESPONSE An organized approach to addressing and managing the aftermath of a security breach or attack.

3 STEPS TO SUCCESS

4 PURPOSE OF INCIDENT RESPONSE  Preparation  User Awareness  Detection & Analysis  Did an incident occur  Containment  Prevent further damage  Eradication  Root cause analysis  Recovery  Reimage the affected workstation  Post Incident Activity  Lessons Learned

5 PREPARATION  User Awareness & Training

6 SOCIAL ENGINEERING

7 DETECTION & ANALYSIS  You can’t Respond if you can’t Detect  Logs – Hopefully a SIEM  Workstation \ Server  Firewall  IDS \ IPS  Internet Proxy \ Filter  MSSP \ 3 rd Party  End Users \ Customers  You!

8 CONTAINMENT  Prevent Further Damage  NAC  ACL  Firewall  Switch  Software  Application Whitelisting  AV

9 ERADICATION  Root Cause Analysis  Make Sure Problem Does Not Come Back!

10 RECOVERY  Known Good Configuration  Reimage Device  Restore from Backup

11 POST INCIDENT ACTIVITY  Lessons Learned  What Worked  What Didn’t Work  New Policy \ Procedures  Change to existing Controls  Implement New Controls

12 WINDOWS BASED FORENSIC TOOLKIT

13 TABLEAU WRITE BLOCKER  SATA\IDE

14 DIGITAL CAMERA  Document state of evidence  Inventory items seized

15 CHAIN OF CUSTODY FORM  Log all transfer of evidence

16 EVIDENCE BAGS

17 MISC.

18 ACCESSDATA FTK IMAGER  Physical\Logical Hard Drive Acquisition

19 ACCESSDATA FTK IMAGER  Live Memory Acquisition  Encryption Keys, Passwords, Running Processes

20 IMDISK VIRTUAL DISK DRIVER  Mount evidence files as Read Only Hard Drive

21 REGRIPPER  Registry Analysis  SAM  Security  Software  System  NTUser

22 HELIX  Free Version still available  Best of Both Worlds  Run applications from within Windows  Boot from Linux Live CD

23 MALWAREBYTES ANTI-MALWARE

24 EXIFTOOL - PHOTOS

25 EXIFTOOL – OFFICE DOCUMENTS

26 PROCMON

27 INTERNET EVIDENCE FINDER

28 FORENSIC SOFTWARE SUITE

29 FORENSICS AND THE STATE OF MICHIGAN  PROFESSIONAL INVESTIGATOR LICENSURE ACT  As of May 28, 2008, all computer forensic firms must have a Private Investigators license to practice in Michigan.  Any person engaged in the collection of electronic evidence and/or engaged for the presentation electronic evidence in a Michigan court must have a valid Private Investigators License

30 REFERENCES & THANKS  NIST 800-61  NIST 800-86  http://www.cert.org/csirts/Creating-A-CSIRT.html  http://www.ussecurityawareness.org/highres/incident- response.html  http://windowsir.blogspot.com  http://www.ericjhuber.com  Chris Pogue – Trustwave SpiderLabs  http://blog.spiderlabs.com (Sniper Forensics)

31 NEXT TIME

Download ppt "WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+"

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
What You Will Learn Components of a computer’s system software The importance of an operating system Functions of an operating system Types of user interfaces.

What You Will Learn Components of a computer’s system software The importance of an operating system Functions of an operating system Types of user interfaces.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Computerized Networking of HIV Providers Networking Fundamentals Presented by: Tom Lang – LCG Technologies Corp. May 8, 2003.

Computerized Networking of HIV Providers Networking Fundamentals Presented by: Tom Lang – LCG Technologies Corp. May 8, 2003.
Security Guide for Interconnecting Information Technology Systems

Security Guide for Interconnecting Information Technology Systems
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.

COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google